diff --git a/packages/@aws-cdk/cfnspec/spec-source/cfn-docs/cfn-docs.json b/packages/@aws-cdk/cfnspec/spec-source/cfn-docs/cfn-docs.json index fd5d20059ca68..1eac7554cb9b1 100644 --- a/packages/@aws-cdk/cfnspec/spec-source/cfn-docs/cfn-docs.json +++ b/packages/@aws-cdk/cfnspec/spec-source/cfn-docs/cfn-docs.json @@ -2560,7 +2560,7 @@ "Description": "A user-entered description of the flow.", "DestinationFlowConfigList": "The configuration that controls how Amazon AppFlow places data in the destination connector.", "FlowName": "The specified name of the flow. Spaces are not allowed. Use underscores (_) or hyphens (-) only.", - "FlowStatus": "Indicates the current status of the flow.", + "FlowStatus": "Sets the status of the flow. You can specify one of the following values:\n\n- **Active** - The flow runs based on the trigger settings that you defined. Active scheduled flows run as scheduled, and active event-triggered flows run when the specified change event occurs. However, active on-demand flows run only when you manually start them by using Amazon AppFlow.\n- **Suspended** - You can use this option to deactivate an active flow. Scheduled and event-triggered flows will cease to run until you reactive them. This value only affects scheduled and event-triggered flows. It has no effect for on-demand flows.\n\nIf you omit the FlowStatus parameter, Amazon AppFlow creates the flow with a default status. The default status for on-demand flows is Active. The default status for scheduled and event-triggered flows is Draft, which means they\u2019re not yet active.", "KMSArn": "The ARN (Amazon Resource Name) of the Key Management Service (KMS) key you provide for encryption. This is required if you do not want to use the Amazon AppFlow-managed KMS key. If you don't provide anything here, Amazon AppFlow uses the Amazon AppFlow-managed KMS key.", "MetadataCatalogConfig": "", "SourceFlowConfig": "Contains information about the configuration of the source connector used in the flow.", @@ -5077,11 +5077,14 @@ "description": "The `AWS::AppSync::GraphQLApi` resource creates a new AWS AppSync GraphQL API. This is the top-level construct for your application. For more information, see [Quick Start](https://docs.aws.amazon.com/appsync/latest/devguide/quickstart.html) in the *AWS AppSync Developer Guide* .", "properties": { "AdditionalAuthenticationProviders": "A list of additional authentication providers for the `GraphqlApi` API.", + "ApiType": "The value that indicates whether the GraphQL API is a standard API ( `GRAPHQL` ) or merged API ( `MERGED` ).\n\nThe following values are valid:\n\n`GRAPHQL | MERGED`", "AuthenticationType": "Security configuration for your GraphQL API. For allowed values (such as `API_KEY` , `AWS_IAM` , `AMAZON_COGNITO_USER_POOLS` , `OPENID_CONNECT` , or `AWS_LAMBDA` ), see [Security](https://docs.aws.amazon.com/appsync/latest/devguide/security.html) in the *AWS AppSync Developer Guide* .", "LambdaAuthorizerConfig": "A `LambdaAuthorizerConfig` holds configuration on how to authorize AWS AppSync API access when using the `AWS_LAMBDA` authorizer mode. Be aware that an AWS AppSync API may have only one Lambda authorizer configured at a time.", "LogConfig": "The Amazon CloudWatch Logs configuration.", + "MergedApiExecutionRoleArn": "The AWS Identity and Access Management service role ARN for a merged API. The AppSync service assumes this role on behalf of the Merged API to validate access to source APIs at runtime and to prompt the `AUTO_MERGE` to update the merged API endpoint with the source API changes automatically.", "Name": "The API name.", "OpenIDConnectConfig": "The OpenID Connect configuration.", + "OwnerContact": "The owner contact information for an API resource.\n\nThis field accepts any string input with a length of 0 - 256 characters.", "Tags": "An arbitrary set of tags (key-value pairs) for this GraphQL API.", "UserPoolConfig": "Optional authorization configuration for using Amazon Cognito user pools with your GraphQL endpoint.", "Visibility": "Sets the scope of the GraphQL API to public ( `GLOBAL` ) or private ( `PRIVATE` ). By default, the scope is set to `Global` if no value is provided.", @@ -5147,7 +5150,7 @@ }, "AWS::AppSync::GraphQLSchema": { "attributes": { - "Ref": "When you pass the logical ID of an `AWS::AppSync::GraphQLSchema` resource to the intrinsic `Ref` function, the function returns the GraphQL API id with the literal String GraphQLSchema attached to it." + "Ref": "When you pass the logical ID of an `AWS::AppSync::GraphQLSchema` resource to the intrinsic `Ref` function, the function returns the GraphQL API ID with the literal String GraphQLSchema attached to it." }, "description": "The `AWS::AppSync::GraphQLSchema` resource is used for your AWS AppSync GraphQL schema that controls the data model for your API. Schema files are text written in Schema Definition Language (SDL) format. For more information about schema authoring, see [Designing a GraphQL API](https://docs.aws.amazon.com/appsync/latest/devguide/designing-a-graphql-api.html) in the *AWS AppSync Developer Guide* .\n\n> When you submit an update, AWS CloudFormation updates resources based on differences between what you submit and the stack's current template. To cause this resource to be updated you must change a property value for this resource in the CloudFormation template. Changing the Amazon S3 file content without changing a property value will not result in an update operation.\n> \n> See [Update Behaviors of Stack Resources](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html) in the *AWS CloudFormation User Guide* .", "properties": { @@ -5222,6 +5225,34 @@ "LambdaConflictHandlerConfig": "The `LambdaConflictHandlerConfig` when configuring `LAMBDA` as the Conflict Handler." } }, + "AWS::AppSync::SourceApiAssociation": { + "attributes": { + "AssociationArn": "The Amazon Resource Name (ARN) of the source API association.", + "AssociationId": "The ID generated by the AppSync service for the source API association.", + "LastSuccessfulMergeDate": "The datetime value of the last successful merge of the source API association. The result will be in UTC format and your local time zone.", + "MergedApiArn": "The Amazon Resource Name (ARN) of the merged API.", + "MergedApiId": "The ID of the merged API.", + "Ref": "When you pass the logical ID of an `AWS::AppSync::SourceApiAssociation` resource to the intrinsic `Ref` function, the function returns the ARN of the source API association.\n\nFor more information about using the `Ref` function, see [Ref](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-ref) .", + "SourceApiArn": "The source API's Amazon Resource Name (ARN) value.", + "SourceApiAssociationStatus": "The state of the source API association.\n\nThe following values are valid:\n\n`MERGE_SCHEDULED | MERGE_FAILED | MERGE_SUCCESS | MERGE_IN_PROGRESS | AUTO_MERGE_SCHEDULE_FAILED | DELETION_SCHEDULED | DELETION_IN_PROGRESS | DELETION_FAILED`", + "SourceApiAssociationStatusDetail": "The message describing the state of the source API association.", + "SourceApiId": "The ID of the source API." + }, + "description": "Describes the configuration of a source API. A source API is a GraphQL API that is linked to a merged API. There can be multiple source APIs attached to each merged API. When linked to a merged API, the source API's schema, data sources, and resolvers will be combined with other linked source API data to form a new, singular API. Source APIs can originate from your account or from other accounts via Resource Access Manager.", + "properties": { + "Description": "The description field of the association configuration.", + "MergedApiIdentifier": "The identifier of the AppSync Merged API. This is generated by the AppSync service. In most cases, Merged APIs (especially in your account) only require the API ID value or ARN of the merged API. However, Merged APIs from other accounts (cross-account use cases) strictly require the full resource ARN of the merged API.", + "SourceApiAssociationConfig": "The `SourceApiAssociationConfig` object data.", + "SourceApiIdentifier": "The identifier of the AppSync Source API. This is generated by the AppSync service. In most cases, source APIs (especially in your account) only require the API ID value or ARN of the source API. However, source APIs from other accounts (cross-account use cases) strictly require the full resource ARN of the source API." + } + }, + "AWS::AppSync::SourceApiAssociation.SourceApiAssociationConfig": { + "attributes": {}, + "description": "Describes properties used to specify configurations related to a source API. This is a property of the `AWS:AppSync:SourceApiAssociation` type.", + "properties": { + "MergeType": "The property that indicates which merging option is enabled in the source API association.\n\nValid merge types are `MANUAL_MERGE` (default) and `AUTO_MERGE` . Manual merges are the default behavior and require the user to trigger any changes from the source APIs to the merged API manually. Auto merges subscribe the merged API to the changes performed on the source APIs so that any change in the source APIs are also made to the merged API. Auto merges use `MergedApiExecutionRoleArn` to perform merge operations.\n\nThe following values are valid:\n\n`MANUAL_MERGE | AUTO_MERGE`" + } + }, "AWS::ApplicationAutoScaling::ScalableTarget": { "attributes": { "Ref": "When the logical ID of this resource is provided to the `Ref` intrinsic function, `Ref` returns the CloudFormation-generated ID of the resource. For example: `service/ecsStack-MyECSCluster-AB12CDE3F4GH/ecsStack-MyECSService-AB12CDE3F4GH|ecs:service:DesiredCount|ecs` .\n\nCloudFormation uses the following format to generate the ID: `service/ *resource_ID* | *scalable_dimension* | *service_namespace*` .\n\nFor more information about using the `Ref` function, see [Ref](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-ref.html) ." @@ -10049,6 +10080,18 @@ "RoleArn": "An IAM role configured to allow Amazon Cognito to call Amazon SNS on behalf of the developer." } }, + "AWS::Cognito::IdentityPoolPrincipalTag": { + "attributes": { + "Ref": "`Ref` returns the principal tag primary ID, like `us-east-1:1cf667a2-49a6-454b-9e45-23199EXAMPLE|graph.facebook.com` ." + }, + "description": "A list of the identity pool principal tag assignments for attributes for access control.", + "properties": { + "IdentityPoolId": "The identity pool that you want to associate with this principal tag map.", + "IdentityProviderName": "The identity pool identity provider (IdP) that you want to associate with this principal tag map.", + "PrincipalTags": "A JSON-formatted list of user claims and the principal tags that you want to associate with them. When Amazon Cognito requests credentials, it sets the value of the principal tag to the value of the user's claim.", + "UseDefaults": "Use a default set of mappings between claims and tags for this provider, instead of a custom map." + } + }, "AWS::Cognito::IdentityPoolRoleAttachment": { "attributes": { "Ref": "`Ref` returns a generated ID, such as `IdentityPoolRoleAttachment-EXAMPLEwnOR3n` ." @@ -16108,6 +16151,7 @@ "description": "Describes a network interface in an Amazon EC2 instance for AWS CloudFormation .", "properties": { "Description": "A description for the network interface.", + "EnablePrimaryIpv6": "", "GroupSet": "The security group IDs associated with this network interface.", "InterfaceType": "The type of network interface. The default is `interface` . The supported values are `efa` and `trunk` .", "Ipv6AddressCount": "The number of IPv6 addresses to assign to a network interface. Amazon EC2 automatically selects the IPv6 addresses from the subnet range. To specify specific IPv6 addresses, use the `Ipv6Addresses` property and don't specify this property.", @@ -22057,19 +22101,19 @@ "properties": { "Name": "A descriptive label that is associated with a build. Build names do not need to be unique.", "OperatingSystem": "The operating system that your game server binaries run on. This value determines the type of fleet resources that you use for this build. If your game build contains multiple executables, they all must run on the same operating system. You must specify a valid operating system in this request. There is no default value. You can't change a build's operating system later.\n\n> If you have active fleets using the Windows Server 2012 operating system, you can continue to create new builds using this OS until October 10, 2023, when Microsoft ends its support. All others must use Windows Server 2016 when creating new Windows-based builds.", - "ServerSdkVersion": "The Amazon GameLift Server SDK version used to develop your game server.", + "ServerSdkVersion": "A server SDK version you used when integrating your game server build with Amazon GameLift. For more information see [Integrate games with custom game servers](https://docs.aws.amazon.com/gamelift/latest/developerguide/integration-custom-intro.html) . By default Amazon GameLift sets this value to `4.0.2` .", "StorageLocation": "Information indicating where your game build files are stored. Use this parameter only when creating a build with files stored in an Amazon S3 bucket that you own. The storage location must specify an Amazon S3 bucket name and key. The location must also specify a role ARN that you set up to allow Amazon GameLift to access your Amazon S3 bucket. The S3 bucket and your new build must be in the same Region.\n\nIf a `StorageLocation` is specified, the size of your file can be found in your Amazon S3 bucket. Amazon GameLift will report a `SizeOnDisk` of 0.", "Version": "Version information that is associated with this build. Version strings do not need to be unique." } }, "AWS::GameLift::Build.StorageLocation": { "attributes": {}, - "description": "", + "description": "The location in Amazon S3 where build or script files are stored for access by Amazon GameLift.", "properties": { - "Bucket": "", - "Key": "", - "ObjectVersion": "", - "RoleArn": "" + "Bucket": "An Amazon S3 bucket identifier. Thename of the S3 bucket.\n\n> Amazon GameLift doesn't support uploading from Amazon S3 buckets with names that contain a dot (.).", + "Key": "The name of the zip file that contains the build files or script files.", + "ObjectVersion": "The version of the file, if object versioning is turned on for the bucket. Amazon GameLift uses this information when retrieving files from your S3 bucket. To retrieve a specific version of the file, provide an object version. To retrieve the latest version of the file, do not set this parameter.", + "RoleArn": "The Amazon Resource Name ( [ARN](https://docs.aws.amazon.com/AmazonS3/latest/dev/s3-arn-format.html) ) for an IAM role that allows Amazon GameLift to access the S3 bucket." } }, "AWS::GameLift::Fleet": { @@ -22536,7 +22580,10 @@ "attributes": {}, "description": "Specifies an AWS Glue Data Catalog target.", "properties": { + "ConnectionName": "", "DatabaseName": "The name of the database to be synchronized.", + "DlqEventQueueArn": "", + "EventQueueArn": "", "Tables": "A list of the tables to be synchronized." } }, @@ -22654,6 +22701,28 @@ "SseAwsKmsKeyId": "The ID of the AWS KMS key to use for encryption at rest." } }, + "AWS::Glue::DataQualityRuleset": { + "attributes": { + "Ref": "" + }, + "description": "The `AWS::Glue::DataQualityRuleset` resource specifies a data quality ruleset with DQDL rules applied to a specified AWS Glue table. For more information, see AWS Glue Data Quality in the AWS Glue Developer Guide.", + "properties": { + "ClientToken": "Used for idempotency and is recommended to be set to a random ID (such as a UUID) to avoid creating or starting multiple instances of the same resource.", + "Description": "A description of the data quality ruleset.", + "Name": "The name of the data quality ruleset.", + "Ruleset": "A Data Quality Definition Language (DQDL) ruleset. For more information see the AWS Glue Developer Guide.", + "Tags": "A list of tags applied to the data quality ruleset.", + "TargetTable": "An object representing an AWS Glue table." + } + }, + "AWS::Glue::DataQualityRuleset.TargetTable": { + "attributes": {}, + "description": "An object representing an AWS Glue table.", + "properties": { + "DatabaseName": "The name of the database where the AWS Glue table exists.", + "TableName": "The name of the AWS Glue table." + } + }, "AWS::Glue::Database": { "attributes": { "Ref": "`Ref` returns the database name." @@ -23269,7 +23338,7 @@ "attributes": { "CreationTimestamp": "The date that the workspace was created.\n\nType: Timestamp", "Endpoint": "The URL that users can use to access the Grafana console in the workspace.\n\nType: String", - "GrafanaVersion": "The version of Grafana supported in this workspace.\n\nType: String", + "GrafanaVersion": "Specifies the version of Grafana supported by this workspace.\n\nType: String", "Id": "The unique ID of this workspace.\n\nType: String", "ModificationTimestamp": "The most recent date that the workspace was modified.\n\nType: Timestamp", "Ref": "`Ref` returns the resource name. For example:\n\n`{ \"Ref\": \"Id\" }`", @@ -23284,6 +23353,7 @@ "ClientToken": "A unique, case-sensitive, user-provided identifier to ensure the idempotency of the request.", "DataSources": "Specifies the AWS data sources that have been configured to have IAM roles and permissions created to allow Amazon Managed Grafana to read data from these sources.\n\nThis list is only used when the workspace was created through the AWS console, and the `permissionType` is `SERVICE_MANAGED` .", "Description": "The user-defined description of the workspace.", + "GrafanaVersion": "Specifies the version of Grafana to support in the new workspace.\n\nSupported values are `8.4` and `9.4` .", "Name": "The name of the workspace.", "NetworkAccessControl": "The configuration settings for network access to your workspace.", "NotificationDestinations": "The AWS notification channels that Amazon Managed Grafana can automatically create IAM roles and permissions for, to allow Amazon Managed Grafana to use these channels.", @@ -23293,7 +23363,7 @@ "RoleArn": "The IAM role that grants permissions to the AWS resources that the workspace will view data from. This role must already exist.", "SamlConfiguration": "If the workspace uses SAML, use this structure to map SAML assertion attributes to workspace user information and define which groups in the assertion attribute are to have the `Admin` and `Editor` roles in the workspace.", "StackSetName": "The name of the AWS CloudFormation stack set that is used to generate IAM roles to be used for this workspace.", - "VpcConfiguration": "The configuration for connecting to data sources in a private VPC ( Amazon Virtual Private Cloud )." + "VpcConfiguration": "The configuration settings for an Amazon VPC that contains data sources for your Grafana workspace to connect to.\n\n> Connecting to a private VPC is not yet available in the Asia Pacific (Seoul) Region (ap-northeast-2)." } }, "AWS::Grafana::Workspace.AssertionAttributes": { @@ -27847,6 +27917,7 @@ "Action": "", "CollectionScheme": "", "Compression": "", + "DataDestinationConfigs": "", "DataExtraDimensions": "", "Description": "The description of the campaign.", "DiagnosticsMode": "", @@ -27880,6 +27951,24 @@ "TriggerMode": "" } }, + "AWS::IoTFleetWise::Campaign.DataDestinationConfig": { + "attributes": {}, + "description": "", + "properties": { + "S3Config": "", + "TimestreamConfig": "" + } + }, + "AWS::IoTFleetWise::Campaign.S3Config": { + "attributes": {}, + "description": "", + "properties": { + "BucketArn": "", + "DataFormat": "", + "Prefix": "", + "StorageCompressionFormat": "" + } + }, "AWS::IoTFleetWise::Campaign.SignalInformation": { "attributes": {}, "description": "Information about a signal.", @@ -27896,6 +27985,14 @@ "PeriodMs": "" } }, + "AWS::IoTFleetWise::Campaign.TimestreamConfig": { + "attributes": {}, + "description": "", + "properties": { + "ExecutionRoleArn": "", + "TimestreamTableArn": "" + } + }, "AWS::IoTFleetWise::DecoderManifest": { "attributes": { "Arn": "", @@ -33977,6 +34074,7 @@ "EngineType": "The type of the target platform for this application.", "KmsKeyId": "The identifier of a customer managed key.", "Name": "The name of the application.", + "RoleArn": "", "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." } }, @@ -37779,10 +37877,6 @@ "CoreNetworkArn": "The ARN of the core network.", "CreatedAt": "The timestamp when the Connect attachment was created.", "OwnerAccountId": "The ID of the Connect attachment owner.", - "ProposedSegmentChange": "", - "ProposedSegmentChange.AttachmentPolicyRuleNumber": "", - "ProposedSegmentChange.SegmentName": "", - "ProposedSegmentChange.Tags": "", "Ref": "`Ref` returns the `AttachmentId` . For example, `{ \"Ref: \"attachment-02767e74104a33690\" }` .", "ResourceArn": "The resource ARN for the Connect attachment.", "SegmentName": "The name of the Connect attachment's segment.", @@ -37794,6 +37888,7 @@ "CoreNetworkId": "The ID of the core network where the Connect attachment is located.", "EdgeLocation": "The Region where the edge is located.", "Options": "Options for connecting an attachment.", + "ProposedSegmentChange": "", "Tags": "", "TransportAttachmentId": "The ID of the transport attachment." } @@ -38024,10 +38119,6 @@ "CreatedAt": "The timestamp when the site-to-site VPN attachment was created.", "EdgeLocation": "The Region where the core network edge is located.", "OwnerAccountId": "The ID of the site-to-site VPN attachment owner.", - "ProposedSegmentChange": "", - "ProposedSegmentChange.AttachmentPolicyRuleNumber": "", - "ProposedSegmentChange.SegmentName": "", - "ProposedSegmentChange.Tags": "", "Ref": "`Ref` returns the `AttachmentId` . For example, `{ \"Ref: \"attachment-05467e74104d33861\" }` .", "ResourceArn": "The resource ARN for the site-to-site VPN attachment.", "SegmentName": "The name of the site-to-site VPN attachment's segment.", @@ -38037,6 +38128,7 @@ "description": "Creates an Amazon Web Services site-to-site VPN attachment on an edge location of a core network.", "properties": { "CoreNetworkId": "", + "ProposedSegmentChange": "", "Tags": "", "VpnConnectionArn": "The ARN of the site-to-site VPN attachment." } @@ -38122,10 +38214,6 @@ "CreatedAt": "The timestamp when the VPC attachment was created.", "EdgeLocation": "The Region where the core network edge is located.", "OwnerAccountId": "The ID of the VPC attachment owner.", - "ProposedSegmentChange": "", - "ProposedSegmentChange.AttachmentPolicyRuleNumber": "", - "ProposedSegmentChange.SegmentName": "", - "ProposedSegmentChange.Tags": "", "Ref": "`Ref` returns the `AttachmentId` . For example, `{ \"Ref: \"attachment-00067e74104d33769\" }` .", "ResourceArn": "The resource ARN for the VPC attachment.", "SegmentName": "The name of the attachment's segment.", @@ -38136,6 +38224,7 @@ "properties": { "CoreNetworkId": "The core network ID.", "Options": "Options for creating the VPC attachment.", + "ProposedSegmentChange": "", "SubnetArns": "The subnet ARNs.", "Tags": "The tags associated with the VPC attachment.", "VpcArn": "The ARN of the VPC attachment." @@ -38756,6 +38845,7 @@ "DedicatedMasterType": "The hardware configuration of the computer that hosts the dedicated master node, such as `m3.medium.search` . If you specify this property, you must specify `true` for the `DedicatedMasterEnabled` property. For valid values, see [Supported instance types in Amazon OpenSearch Service](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/supported-instance-types.html) .", "InstanceCount": "The number of data nodes (instances) to use in the OpenSearch Service domain.", "InstanceType": "The instance type for your data nodes, such as `m3.medium.search` . For valid values, see [Supported instance types in Amazon OpenSearch Service](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/supported-instance-types.html) .", + "MultiAZWithStandbyEnabled": "Indicates whether Multi-AZ with Standby deployment option is enabled. For more information, see [Multi-AZ with Standby](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/managedomains-multiaz.html#managedomains-za-standby) .", "WarmCount": "The number of warm nodes in the cluster.", "WarmEnabled": "Whether to enable UltraWarm storage for the cluster. See [UltraWarm storage for Amazon OpenSearch Service](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/ultrawarm.html) .", "WarmType": "The instance type for the cluster's warm nodes.", @@ -55924,6 +56014,7 @@ "description": "The configuration for the URI path route type.", "properties": { "ActivationState": "If set to `ACTIVE` , traffic is forwarded to this route\u2019s service after the route is created.", + "AppendSourcePath": "", "IncludeChildPaths": "Indicates whether to match all subpaths of the given source path. If this value is `false` , requests must match the source path exactly before they are forwarded to this route's service.", "Methods": "A list of HTTP methods to match. An empty list matches all values. If a method is present, only HTTP requests using that method are forwarded to this route\u2019s service.", "SourcePath": "This is the path that Refactor Spaces uses to match traffic. Paths must start with `/` and are relative to the base of the application. To use path parameters in the source path, add a variable in curly braces. For example, the resource path {user} represents a path parameter called 'user'." @@ -56100,6 +56191,7 @@ "attributes": {}, "description": "Defines a resource mapping.", "properties": { + "EksSourceName": "", "LogicalStackName": "The name of the CloudFormation stack this resource is mapped to.", "MappingType": "Specifies the type of resource mapping.\n\nValid Values: CfnStack | Resource | AppRegistryApp | ResourceGroup | Terraform\n\n- **AppRegistryApp** - The resource is mapped to another application. The name of the application is contained in the `appRegistryAppName` property.\n- **CfnStack** - The resource is mapped to a CloudFormation stack. The name of the CloudFormation stack is contained in the `logicalStackName` property.\n- **Resource** - The resource is mapped to another resource. The name of the resource is contained in the `resourceName` property.\n- **ResourceGroup** - The resource is mapped to a resource group. The name of the resource group is contained in the `resourceGroupName` property.", "PhysicalResourceId": "The identifier of this resource.", @@ -58212,10 +58304,10 @@ "attributes": { "Ref": "`Ref` returns the resource name." }, - "description": "Create a new pool of dedicated IP addresses. A pool can include one or more dedicated IP addresses that are associated with your AWS account . You can associate a pool with a configuration set. When you send an email that uses that configuration set, the message is sent from one of the addresses in the associated pool.\n\n> You can't delete dedicated IP pools that have a `STANDARD` scaling mode and one or more dedicated IP addresses. This constraint doesn't apply to dedicated IP pools that have a `MANAGED` scaling mode.", + "description": "Create a new pool of dedicated IP addresses. A pool can include one or more dedicated IP addresses that are associated with your AWS account . You can associate a pool with a configuration set. When you send an email that uses that configuration set, the message is sent from one of the addresses in the associated pool.\n\n> You can't delete dedicated IP pools that have a `STANDARD` scaling mode with one or more dedicated IP addresses. This constraint doesn't apply to dedicated IP pools that have a `MANAGED` scaling mode.", "properties": { "PoolName": "The name of the dedicated IP pool that the IP address is associated with.", - "ScalingMode": "The type of scaling mode.\n\nThe following options are available:\n\n- `STANDARD` - The customer controls which IPs are part of the dedicated IP pool.\n- `MANAGED` - The reputation and number of IPs is automatically managed by Amazon SES .\n\nThe `STANDARD` option is selected by default if no value is specified." + "ScalingMode": "The type of scaling mode.\n\nThe following options are available:\n\n- `STANDARD` - The customer controls which IPs are part of the dedicated IP pool.\n- `MANAGED` - The reputation and number of IPs are automatically managed by Amazon SES .\n\nThe `STANDARD` option is selected by default if no value is specified.\n\n> Updating *ScalingMode* doesn't require a replacement if you're updating its value from `STANDARD` to `MANAGED` . However, updating *ScalingMode* from `MANAGED` to `STANDARD` is not supported." } }, "AWS::SES::EmailIdentity": { @@ -58950,7 +59042,7 @@ "description": "The `Stage` property type specifies a set amount of time that an escalation plan or engagement plan engages the specified contacts or contact methods.", "properties": { "DurationInMinutes": "The time to wait until beginning the next stage. The duration can only be set to 0 if a target is specified.", - "RotationIds": "", + "RotationIds": "The Amazon Resource Names (ARNs) of the on-call rotations associated with the plan.", "Targets": "The contacts or contact methods that the escalation plan or engagement plan is engaging." } }, @@ -61639,15 +61731,13 @@ "ProjectArn": "The Amazon Resource Name (ARN) of the project.", "ProjectId": "The ID of the project. This ID is prepended to all entities associated with this project.", "ProjectStatus": "The status of the project.", - "Ref": "", - "ServiceCatalogProvisionedProductDetails": "The product ID and status message of the projet as a service catalog provisioned product. For information, see [What is AWS Service Catalog](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/introduction.html) .", - "ServiceCatalogProvisionedProductDetails.ProvisionedProductId": "", - "ServiceCatalogProvisionedProductDetails.ProvisionedProductStatusMessage": "" + "Ref": "" }, "description": "Creates a machine learning (ML) project that can contain one or more templates that set up an ML pipeline from training to deploying an approved model.", "properties": { "ProjectDescription": "The description of the project.", "ProjectName": "The name of the project.", + "ServiceCatalogProvisionedProductDetails": "", "ServiceCatalogProvisioningDetails": "The product ID and provisioning artifact ID to provision a service catalog. For information, see [What is AWS Service Catalog](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/introduction.html) .", "Tags": "A list of key-value pairs to apply to this resource.\n\nFor more information, see [Resource Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) and [Using Cost Allocation Tags](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/cost-alloc-tags.html#allocation-what) in the *AWS Billing and Cost Management User Guide* ." } @@ -62628,6 +62718,83 @@ "FailureThreshold": "> This parameter is no longer supported and is always set to 1. AWS Cloud Map waits for approximately 30 seconds after receiving an `UpdateInstanceCustomHealthStatus` request before changing the status of the service instance. \n\nThe number of 30-second intervals that you want AWS Cloud Map to wait after receiving an `UpdateInstanceCustomHealthStatus` request before it changes the health status of a service instance.\n\nSending a second or subsequent `UpdateInstanceCustomHealthStatus` request with the same value before 30 seconds has passed doesn't accelerate the change. AWS Cloud Map still waits `30` seconds after the first request to make the change." } }, + "AWS::Shield::DRTAccess": { + "attributes": { + "AccountId": "The ID of the account that submitted the template.", + "Ref": "`Ref` returns the ID of the account that submitted the template." + }, + "description": "Provides permissions for the AWS Shield Advanced Shield response team (SRT) to access your account and your resource protections, to help you mitigate potential distributed denial of service (DDoS) attacks.\n\n> To configure this resource through AWS CloudFormation , you must be subscribed to AWS Shield Advanced . You can subscribe through the [Shield Advanced console](https://docs.aws.amazon.com/wafv2/shieldv2#/) and through the APIs. For more information, see [Subscribe to AWS Shield Advanced](https://docs.aws.amazon.com/waf/latest/developerguide/enable-ddos-prem.html) .", + "properties": { + "LogBucketList": "Authorizes the Shield Response Team (SRT) to access the specified Amazon S3 bucket containing log data such as Application Load Balancer access logs, CloudFront logs, or logs from third party sources. You can associate up to 10 Amazon S3 buckets with your subscription.\n\nUse this to share information with the SRT that's not available in AWS WAF logs.\n\nTo use the services of the SRT, you must be subscribed to the [Business Support plan](https://docs.aws.amazon.com/premiumsupport/business-support/) or the [Enterprise Support plan](https://docs.aws.amazon.com/premiumsupport/enterprise-support/) .", + "RoleArn": "Authorizes the Shield Response Team (SRT) using the specified role, to access your AWS account to assist with DDoS attack mitigation during potential attacks. This enables the SRT to inspect your AWS WAF configuration and logs and to create or update AWS WAF rules and web ACLs.\n\nYou can associate only one `RoleArn` with your subscription. If you submit this update for an account that already has an associated role, the new `RoleArn` will replace the existing `RoleArn` .\n\nThis change requires the following:\n\n- You must be subscribed to the [Business Support plan](https://docs.aws.amazon.com/premiumsupport/business-support/) or the [Enterprise Support plan](https://docs.aws.amazon.com/premiumsupport/enterprise-support/) .\n- You must have the `iam:PassRole` permission. For more information, see [Granting a user permissions to pass a role to an AWS service](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html) .\n- The `AWSShieldDRTAccessPolicy` managed policy must be attached to the role that you specify in the request. You can access this policy in the IAM console at [AWSShieldDRTAccessPolicy](https://docs.aws.amazon.com/iam/home?#/policies/arn:aws:iam::aws:policy/service-role/AWSShieldDRTAccessPolicy) . For information, see [Adding and removing IAM identity permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html) .\n- The role must trust the service principal `drt.shield.amazonaws.com` . For information, see [IAM JSON policy elements: Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html) .\n\nThe SRT will have access only to your AWS WAF and Shield resources. By submitting this request, you provide permissions to the SRT to inspect your AWS WAF and Shield configuration and logs, and to create and update AWS WAF rules and web ACLs on your behalf. The SRT takes these actions only if explicitly authorized by you." + } + }, + "AWS::Shield::ProactiveEngagement": { + "attributes": { + "AccountId": "The ID of the account that submitted the template.", + "Ref": "`Ref` returns the ID of the account that submitted the template." + }, + "description": "Authorizes the Shield Response Team (SRT) to use email and phone to notify contacts about escalations to the SRT and to initiate proactive customer support.\n\nTo enable proactive engagement, you must be subscribed to the [Business Support plan](https://docs.aws.amazon.com/premiumsupport/business-support/) or the [Enterprise Support plan](https://docs.aws.amazon.com/premiumsupport/enterprise-support/) .\n\n> To configure this resource through AWS CloudFormation , you must be subscribed to AWS Shield Advanced . You can subscribe through the [Shield Advanced console](https://docs.aws.amazon.com/wafv2/shieldv2#/) and through the APIs. For more information, see [Subscribe to AWS Shield Advanced](https://docs.aws.amazon.com/waf/latest/developerguide/enable-ddos-prem.html) .", + "properties": { + "EmergencyContactList": "The list of email addresses and phone numbers that the Shield Response Team (SRT) can use to contact you for escalations to the SRT and to initiate proactive customer support, plus any relevant notes.\n\nTo enable proactive engagement, the contact list must include at least one phone number.\n\nIf you provide more than one contact, in the notes, indicate the circumstances under which each contact should be used. Include primary and secondary contact designations, and provide the hours of availability and time zones for each contact.\n\nExample contact notes:\n\n- This is a hotline that's staffed 24x7x365. Please work with the responding analyst and they will get the appropriate person on the call.\n- Please contact the secondary phone number if the hotline doesn't respond within 5 minutes.", + "ProactiveEngagementStatus": "Specifies whether proactive engagement is enabled or disabled.\n\nValid values:\n\n`ENABLED` - The Shield Response Team (SRT) will use email and phone to notify contacts about escalations to the SRT and to initiate proactive customer support.\n\n`DISABLED` - The SRT will not proactively notify contacts about escalations or to initiate proactive customer support." + } + }, + "AWS::Shield::ProactiveEngagement.EmergencyContact": { + "attributes": {}, + "description": "Contact information that the SRT can use to contact you if you have proactive engagement enabled, for escalations to the SRT and to initiate proactive customer support.", + "properties": { + "ContactNotes": "Additional notes regarding the contact.", + "EmailAddress": "The email address for the contact.", + "PhoneNumber": "The phone number for the contact." + } + }, + "AWS::Shield::Protection": { + "attributes": { + "ProtectionArn": "The ARN (Amazon Resource Name) of the new protection.", + "ProtectionId": "The ID of the new protection.", + "Ref": "`Ref` returns the ARN (Amazon Resource Name) of the protection." + }, + "description": "Enables AWS Shield Advanced for a specific AWS resource. The resource can be an Amazon CloudFront distribution, Amazon Route\u00a053 hosted zone, AWS Global Accelerator standard accelerator, Elastic IP Address, Application Load Balancer, or a Classic Load Balancer. You can protect Amazon EC2 instances and Network Load Balancers by association with protected Amazon EC2 Elastic IP addresses.\n\nUse this to add protection to a single resource at a time. You can add protection to multiple resources at once through the [Shield Advanced console](https://docs.aws.amazon.com/wafv2/shieldv2#/) . For more information see [Getting Started with AWS Shield Advanced](https://docs.aws.amazon.com/waf/latest/developerguide/getting-started-ddos.html) and [Managing resource protections in AWS Shield Advanced](https://docs.aws.amazon.com/waf/latest/developerguide/ddos-manage-protected-resources.html) .\n\n> To configure this resource through AWS CloudFormation , you must be subscribed to AWS Shield Advanced . You can subscribe through the [Shield Advanced console](https://docs.aws.amazon.com/wafv2/shieldv2#/) and through the APIs. For more information, see [Subscribe to AWS Shield Advanced](https://docs.aws.amazon.com/waf/latest/developerguide/enable-ddos-prem.html) .", + "properties": { + "ApplicationLayerAutomaticResponseConfiguration": "The automatic application layer DDoS mitigation settings for the protection. This configuration determines whether Shield Advanced automatically manages rules in the web ACL in order to respond to application layer events that Shield Advanced determines to be DDoS attacks.", + "HealthCheckArns": "The ARN (Amazon Resource Name) of the health check to associate with the protection. Health-based detection provides improved responsiveness and accuracy in attack detection and mitigation.\n\nYou can use this option with any resource type except for Route\u00a053 hosted zones.\n\nFor more information, see [Configuring health-based detection using health checks](https://docs.aws.amazon.com/waf/latest/developerguide/ddos-advanced-health-checks.html) in the *AWS Shield Advanced Developer Guide* .", + "Name": "The name of the protection. For example, `My CloudFront distributions` .", + "ResourceArn": "The ARN (Amazon Resource Name) of the AWS resource that is protected.", + "Tags": "Key:value pairs associated with an AWS resource. The key:value pair can be anything you define. Typically, the tag key represents a category (such as \"environment\") and the tag value represents a specific value within that category (such as \"test,\" \"development,\" or \"production\"). You can add up to 50 tags to each AWS resource.\n\n> To modify tags on existing resources, use the AWS Shield Advanced APIs or command line interface. With AWS CloudFormation , you can only add tags to resources during resource creation." + } + }, + "AWS::Shield::Protection.Action": { + "attributes": {}, + "description": "Specifies the action setting that Shield Advanced should use in the AWS WAF rules that it creates on behalf of the protected resource in response to DDoS attacks. You specify this as part of the configuration for the automatic application layer DDoS mitigation feature, when you enable or update automatic mitigation. Shield Advanced creates the AWS WAF rules in a Shield Advanced-managed rule group, inside the web ACL that you have associated with the resource.", + "properties": { + "Block": "Specifies that Shield Advanced should configure its AWS WAF rules with the AWS WAF `Block` action.\n\nYou must specify exactly one action, either `Block` or `Count` .\n\nExample JSON: `{ \"Block\": {} }`\n\nExample YAML: `Block: {}`", + "Count": "Specifies that Shield Advanced should configure its AWS WAF rules with the AWS WAF `Count` action.\n\nYou must specify exactly one action, either `Block` or `Count` .\n\nExample JSON: `{ \"Count\": {} }`\n\nExample YAML: `Count: {}`" + } + }, + "AWS::Shield::Protection.ApplicationLayerAutomaticResponseConfiguration": { + "attributes": {}, + "description": "The automatic application layer DDoS mitigation settings for a `Protection` . This configuration determines whether Shield Advanced automatically manages rules in the web ACL in order to respond to application layer events that Shield Advanced determines to be DDoS attacks.", + "properties": { + "Action": "Specifies the action setting that Shield Advanced should use in the AWS WAF rules that it creates on behalf of the protected resource in response to DDoS attacks. You specify this as part of the configuration for the automatic application layer DDoS mitigation feature, when you enable or update automatic mitigation. Shield Advanced creates the AWS WAF rules in a Shield Advanced-managed rule group, inside the web ACL that you have associated with the resource.", + "Status": "Indicates whether automatic application layer DDoS mitigation is enabled for the protection." + } + }, + "AWS::Shield::ProtectionGroup": { + "attributes": { + "ProtectionGroupArn": "The ARN (Amazon Resource Name) of the new protection group.", + "Ref": "`Ref` returns the ARN (Amazon Resource Name) of the protection group." + }, + "description": "Creates a grouping of protected resources so they can be handled as a collective. This resource grouping improves the accuracy of detection and reduces false positives.\n\n> To configure this resource through AWS CloudFormation , you must be subscribed to AWS Shield Advanced . You can subscribe through the [Shield Advanced console](https://docs.aws.amazon.com/wafv2/shieldv2#/) and through the APIs. For more information, see [Subscribe to AWS Shield Advanced](https://docs.aws.amazon.com/waf/latest/developerguide/enable-ddos-prem.html) .", + "properties": { + "Aggregation": "Defines how AWS Shield combines resource data for the group in order to detect, mitigate, and report events.\n\n- Sum - Use the total traffic across the group. This is a good choice for most cases. Examples include Elastic IP addresses for EC2 instances that scale manually or automatically.\n- Mean - Use the average of the traffic across the group. This is a good choice for resources that share traffic uniformly. Examples include accelerators and load balancers.\n- Max - Use the highest traffic from each resource. This is useful for resources that don't share traffic and for resources that share that traffic in a non-uniform way. Examples include Amazon CloudFront distributions and origin resources for CloudFront distributions.", + "Members": "The ARNs (Amazon Resource Names) of the resources to include in the protection group. You must set this when you set `Pattern` to `ARBITRARY` and you must not set it for any other `Pattern` setting.", + "Pattern": "The criteria to use to choose the protected resources for inclusion in the group. You can include all resources that have protections, provide a list of resource ARNs (Amazon Resource Names), or include all resources of a specified resource type.", + "ProtectionGroupId": "The name of the protection group. You use this to identify the protection group in lists and to manage the protection group, for example to update, delete, or describe it.", + "ResourceType": "The resource type to include in the protection group. All protected resources of this type are included in the protection group. You must set this when you set `Pattern` to `BY_RESOURCE_TYPE` and you must not set it for any other `Pattern` setting.", + "Tags": "Key:value pairs associated with an AWS resource. The key:value pair can be anything you define. Typically, the tag key represents a category (such as \"environment\") and the tag value represents a specific value within that category (such as \"test,\" \"development,\" or \"production\"). You can add up to 50 tags to each AWS resource.\n\n> To modify tags on existing resources, use the AWS Shield Advanced APIs or command line interface. With AWS CloudFormation , you can only add tags to resources during resource creation." + } + }, "AWS::Signer::ProfilePermission": { "attributes": { "Ref": "The StatementId and ProfileName in the form StatementId|ProfileName"