chore(release): 2.123.0 #28842

aws-cdk-automation · 2024-01-24T18:20:05Z

…rops (#28730) Add an optional `Cooldown` parameter that allows users to define the grace period after a scaling activity. Default will be `undefined` to maintain compatibility. Closes #8298. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

See [CHANGELOG](https://github.com/aws/aws-cdk/blob/merge-back/2.122.0/CHANGELOG.md)

…28718) Currently, Amazon.CDK.AWS.Apigatewayv2 lacks support for AWS option as the [IntegrationType](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigatewayv2-integration.html#cfn-apigatewayv2-integration-integrationtype) for WebSocket Apigateway. Added the capability that allows user to create a WebSocket Apigateway that calls directly other AWS services without a Lambda function middleware. Closes #27164. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

… sets (#28741) Updates the messaging from diff when creating a changeset to clarify that the changeset will not be deployed. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…up (#28548) This change adds a dependency to log retention if logconfig is set for `GraphqlApi`. This in turn avoids the race condition when subsequent resources refer to the log group property of `GraphqlApi.logGroup` logGroup is now referring to the custom resource's output log ARN and further resources will depend on the custom resource to be created first. Closes #26564 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…28772) #28658 missed changing one of the paths (i.e it didn't remove the extra '..') and I was still getting the "cannot find entry file" error. I can confirm that my CDK stack works as expected after making the change locally. This is my first CDK PR. I did the following: ``` yarn install npx lerna run build --scope=@aws-cdk/aws-amplify-alpha cd packages/@aws-cdk/aws-amplify-alpha yarn build yarn test yarn integ-runner --update-on-failed npx lerna run build --scope=aws-cdk-lib ``` Closes #28764 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

updates to roadmap Closes #<issue number here>. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…URU_PROFILER` properties when creating Amazon CodeGuruProfiler profiling group (#28762) > # Issue > > When `{ profiling: true }` CDK creates a profiling group using autogenerated parameters which is never set as an environment variable. This causes another profiling group with default parameters to be created by the lambda. This can create permissions issues. This is an issue when the Lambda has Java or Python runtime but not other runtimes. > # Solution > > For the python, corretto and jdk11 runtime, they will not look at `AWS_CODEGURU_PROFILER_GROUP_ARN` and will only look at `AWS_CODEGURU_PROFILER_GROUP_NAME` and `AWS_CODEGURU_PROFILER_TARGET_REGION`. Runtimes that support `AWS_CODEGURU_PROFILER_GROUP_ARN` prefer `AWS_CODEGURU_PROFILER_GROUP_NAME` and `AWS_CODEGURU_PROFILER_TARGET_REGION` and fallback onto the ARN. So the solution sets these values as potential environment variables. > # Important Design Decisions > > I changed profiling validation to not error and instead warn the user to have environment variables remain consistent with each other while having no backwards compatibility concerns. > > Remember to follow the [CONTRIBUTING GUIDE] and [DESIGN GUIDELINES] for any > code you submit. > > [CONTRIBUTING GUIDE]: https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md > [DESIGN GUIDELINES]: https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md Closes #23511 . ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

The `no-qualified-construct` rule is meant to make sure there are no collisions with `constructs.Construct` and `core.Construct`. This was helpful when reducing merge conflicts between v1 and v2 branches. We no longer have this issue, and CDK v2 does not include `core.Constructs`; we use `constructs.Construct` everywhere. Also I documented our other eslint-plugin rules that seem to still make sense in the README. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

While working on a project in which we create a launch template using the aws-ec2 module, I encountered a typo in the docstring, in which the word "SSH" had been typed as "SSK". This pull request aims to replace the word "SSK" with "SSH". ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…ot find entry file…" (#28760) Error: ``` Error: Cannot find entry file at /node_modules/@aws-cdk/custom-resource-handlers/dist/ aws-redshift-alpha/asset-deployment-handler/index.js ``` This PR fixes the same issue detailed in #28658 but for `aws-redshift-alpha` as both modules have the same issue with accessing `custom-resource-handlers`. This PR uses the same airlift mechanism as `aws-cdk-lib` to move the necessary files into the `aws-redshift-alpha` package so its structure now looks like this: ``` |-- @aws-cdk |-- aws-redshift-alpha |-- custom-resource-handlers/dist/aws-redshift-alpha // airlifted in via this PR |-- custom-resource-handlers/dist |-- aws-redshift-alpha ``` The airlift script only moves the `index.js` file and not the `*/generated.ts` files because imports in alpha module `*/generated.ts` files do not currently work since the import paths were written to only support stable modules in `aws-cdk-lib`. I've tested the `aws-redshift-alpha` package locally on a local CDK app and confirmed the necessary structure exists in the packaged module. The local app calls the `cluster.enableRebootForParameterChanges()` method which creates the custom resource and I was able to verify that the cluster deploys properly and is rebootable. Related to #28633 but this is the fix for `aws-redshift-alpha` ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Realized there were 2 integration test docs and the one under @aws-cdk-testing had more pragmatic steps on how to run the integration tests. Updated the docs of the other integ file to link to the readme in @aws-cdk-testing and then added a section on setup for the steps on how to build the package ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Feature Support the newly launched custom data identifiers feature for CloudWatch Logs sensitive data protection. https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CWL-custom-data-identifiers.html ### Use Case Custom data identifiers (CDIs) let you define your own custom regular expressions that can be used in your data protection policy. Using custom data identifiers, you can target business-specific personally identifiable information (PII) use cases that managed data identifiers can't provide. For example, you can use a custom data identifier to look for company-specific employee IDs. Custom data identifiers can be used in conjunction with managed data identifiers. ### Solution Users can now supply a `regex` field to the `DataIdentifiers` constructor. Supplying this field will enable the named identifier as a custom data identifier. Closes #28430. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

This PR adds support for importing data from a bucket. This feature is not supported by `AWS::DynamoDB::GlobalTable`, so it is implemented only in the `Table` construct. ### Details of this feature Users can create DynamoDB table using data from the bucket. The data to be imported can be a single object or multiple objects. This can be selected by specifying the prefix of the key. Data format must be CSV, DynamoDB JSON, or Amazon Ion. ZSTD or GZIP compressed data can also be imported. For CSV files, delimiter and header can be specified as options. https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/S3forDynamoDB.html In CloudFormation, use this feat as follows. ```yaml AWSTemplateFormatVersion: "2010-09-09" Resources: MyTable: Type: AWS::DynamoDB::Table Properties: AttributeDefinitions: - AttributeName: "id" AttributeType: "S" KeySchema: - AttributeName: "id" KeyType: "HASH" TableName: "myTableName" ImportSourceSpecification: InputCompressionType: NONE # GZIP | ZSTD InputFormat: DYNAMODB_JSON # ION | CSV S3BucketSource: S3Bucket: cloudfs-s3 S3KeyPrefix: db ``` https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-dynamodb-table-importsourcespecification.html Closes #21825 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Bumps [actions/cache](https://github.com/actions/cache) from 3 to 4. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/cache/releases">actions/cache's releases</a>.</em></p> <blockquote> <h2>v4.0.0</h2> <h2>What's Changed</h2> <ul> <li>Update action to node20 by <a href="https://github.com/takost"><code>@takost</code></a> in <a href="https://redirect.github.com/actions/cache/pull/1284">actions/cache#1284</a></li> <li>feat: save-always flag by <a href="https://github.com/to-s"><code>@to-s</code></a> in <a href="https://redirect.github.com/actions/cache/pull/1242">actions/cache#1242</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/takost"><code>@takost</code></a> made their first contribution in <a href="https://redirect.github.com/actions/cache/pull/1284">actions/cache#1284</a></li> <li><a href="https://github.com/to-s"><code>@to-s</code></a> made their first contribution in <a href="https://redirect.github.com/actions/cache/pull/1242">actions/cache#1242</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/cache/compare/v3...v4.0.0">https://github.com/actions/cache/compare/v3...v4.0.0</a></p> <h2>v3.3.3</h2> <h2>What's Changed</h2> <ul> <li>Cache v3.3.3 by <a href="https://github.com/robherley"><code>@robherley</code></a> in <a href="https://redirect.github.com/actions/cache/pull/1302">actions/cache#1302</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/robherley"><code>@robherley</code></a> made their first contribution in <a href="https://redirect.github.com/actions/cache/pull/1302">actions/cache#1302</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/cache/compare/v3...v3.3.3">https://github.com/actions/cache/compare/v3...v3.3.3</a></p> <h2>v3.3.2</h2> <h2>What's Changed</h2> <ul> <li>Fixed readme with new segment timeout values by <a href="https://github.com/kotewar"><code>@kotewar</code></a> in <a href="https://redirect.github.com/actions/cache/pull/1133">actions/cache#1133</a></li> <li>Readme fixes by <a href="https://github.com/kotewar"><code>@kotewar</code></a> in <a href="https://redirect.github.com/actions/cache/pull/1134">actions/cache#1134</a></li> <li>Updated description of the lookup-only input for main action by <a href="https://github.com/kotewar"><code>@kotewar</code></a> in <a href="https://redirect.github.com/actions/cache/pull/1130">actions/cache#1130</a></li> <li>Change two new actions mention as quoted text by <a href="https://github.com/bishal-pdMSFT"><code>@bishal-pdMSFT</code></a> in <a href="https://redirect.github.com/actions/cache/pull/1131">actions/cache#1131</a></li> <li>Update Cross-OS Caching tips by <a href="https://github.com/pdotl"><code>@pdotl</code></a> in <a href="https://redirect.github.com/actions/cache/pull/1122">actions/cache#1122</a></li> <li>Bazel example (Take <a href="https://redirect.github.com/actions/cache/issues/2">#2</a>️⃣) by <a href="https://github.com/vorburger"><code>@vorburger</code></a> in <a href="https://redirect.github.com/actions/cache/pull/1132">actions/cache#1132</a></li> <li>Remove actions to add new PRs and issues to a project board by <a href="https://github.com/jorendorff"><code>@jorendorff</code></a> in <a href="https://redirect.github.com/actions/cache/pull/1187">actions/cache#1187</a></li> <li>Consume latest toolkit and fix dangling promise bug by <a href="https://github.com/chkimes"><code>@chkimes</code></a> in <a href="https://redirect.github.com/actions/cache/pull/1217">actions/cache#1217</a></li> <li>Bump action version to 3.3.2 by <a href="https://github.com/bethanyj28"><code>@bethanyj28</code></a> in <a href="https://redirect.github.com/actions/cache/pull/1236">actions/cache#1236</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/vorburger"><code>@vorburger</code></a> made their first contribution in <a href="https://redirect.github.com/actions/cache/pull/1132">actions/cache#1132</a></li> <li><a href="https://github.com/jorendorff"><code>@jorendorff</code></a> made their first contribution in <a href="https://redirect.github.com/actions/cache/pull/1187">actions/cache#1187</a></li> <li><a href="https://github.com/chkimes"><code>@chkimes</code></a> made their first contribution in <a href="https://redirect.github.com/actions/cache/pull/1217">actions/cache#1217</a></li> <li><a href="https://github.com/bethanyj28"><code>@bethanyj28</code></a> made their first contribution in <a href="https://redirect.github.com/actions/cache/pull/1236">actions/cache#1236</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/cache/compare/v3...v3.3.2">https://github.com/actions/cache/compare/v3...v3.3.2</a></p> <h2>v3.3.1</h2> <h2>What's Changed</h2> <ul> <li>Reduced download segment size to 128 MB and timeout to 10 minutes by <a href="https://github.com/kotewar"><code>@kotewar</code></a> in <a href="https://redirect.github.com/actions/cache/pull/1129">actions/cache#1129</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/cache/compare/v3...v3.3.1">https://github.com/actions/cache/compare/v3...v3.3.1</a></p> <h2>v3.3.0</h2> <h2>What's Changed</h2> <ul> <li>Bug: Permission is missing in cache delete example by <a href="https://github.com/kotokaze"><code>@kotokaze</code></a> in <a href="https://redirect.github.com/actions/cache/pull/1123">actions/cache#1123</a></li> </ul> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/actions/cache/blob/main/RELEASES.md">actions/cache's changelog</a>.</em></p> <blockquote> <h1>Releases</h1> <h3>3.0.0</h3> <ul> <li>Updated minimum runner version support from node 12 -> node 16</li> </ul> <h3>3.0.1</h3> <ul> <li>Added support for caching from GHES 3.5.</li> <li>Fixed download issue for files > 2GB during restore.</li> </ul> <h3>3.0.2</h3> <ul> <li>Added support for dynamic cache size cap on GHES.</li> </ul> <h3>3.0.3</h3> <ul> <li>Fixed avoiding empty cache save when no files are available for caching. (<a href="https://redirect.github.com/actions/cache/issues/624">issue</a>)</li> </ul> <h3>3.0.4</h3> <ul> <li>Fixed tar creation error while trying to create tar with path as <code>~/</code> home folder on <code>ubuntu-latest</code>. (<a href="https://redirect.github.com/actions/cache/issues/689">issue</a>)</li> </ul> <h3>3.0.5</h3> <ul> <li>Removed error handling by consuming actions/cache 3.0 toolkit, Now cache server error handling will be done by toolkit. (<a href="https://redirect.github.com/actions/cache/pull/834">PR</a>)</li> </ul> <h3>3.0.6</h3> <ul> <li>Fixed <a href="https://redirect.github.com/actions/cache/issues/809">#809</a> - zstd -d: no such file or directory error</li> <li>Fixed <a href="https://redirect.github.com/actions/cache/issues/833">#833</a> - cache doesn't work with github workspace directory</li> </ul> <h3>3.0.7</h3> <ul> <li>Fixed <a href="https://redirect.github.com/actions/cache/issues/810">#810</a> - download stuck issue. A new timeout is introduced in the download process to abort the download if it gets stuck and doesn't finish within an hour.</li> </ul> <h3>3.0.8</h3> <ul> <li>Fix zstd not working for windows on gnu tar in issues <a href="https://redirect.github.com/actions/cache/issues/888">#888</a> and <a href="https://redirect.github.com/actions/cache/issues/891">#891</a>.</li> <li>Allowing users to provide a custom timeout as input for aborting download of a cache segment using an environment variable <code>SEGMENT_DOWNLOAD_TIMEOUT_MINS</code>. Default is 60 minutes.</li> </ul> <h3>3.0.9</h3> <ul> <li>Enhanced the warning message for cache unavailablity in case of GHES.</li> </ul> <h3>3.0.10</h3> <ul> <li>Fix a bug with sorting inputs.</li> <li>Update definition for restore-keys in README.md</li> </ul> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/actions/cache/commit/13aacd865c20de90d75de3b17ebe84f7a17d57d2"><code>13aacd8</code></a> Merge pull request <a href="https://redirect.github.com/actions/cache/issues/1242">#1242</a> from to-s/main</li> <li><a href="https://github.com/actions/cache/commit/53b35c543921fe2e8b288765ff817de9de8d906f"><code>53b35c5</code></a> Merge branch 'main' into main</li> <li><a href="https://github.com/actions/cache/commit/65b8989fab3bb394817bdb845a453dff480c2b51"><code>65b8989</code></a> Merge pull request <a href="https://redirect.github.com/actions/cache/issues/1284">#1284</a> from takost/update-to-node-20</li> <li><a href="https://github.com/actions/cache/commit/d0be34d54485f31ca2ccbe66e6ea3d96544a807b"><code>d0be34d</code></a> Fix dist</li> <li><a href="https://github.com/actions/cache/commit/66cf064d47313d2cccf392d01bd10925da2bd072"><code>66cf064</code></a> Merge branch 'main' into update-to-node-20</li> <li><a href="https://github.com/actions/cache/commit/1326563738ddb735c5f2ce85cba8c79f33b728cd"><code>1326563</code></a> Merge branch 'main' into main</li> <li><a href="https://github.com/actions/cache/commit/e71876755e268d6cc25a5d3e3c46ae447e35290a"><code>e718767</code></a> Fix format</li> <li><a href="https://github.com/actions/cache/commit/01229828ffa049a8dee4db27bcb23ed33f2b451f"><code>0122982</code></a> Apply workaround for earlyExit</li> <li><a href="https://github.com/actions/cache/commit/3185ecfd6135856ca6d904ae032cff4f39b8b365"><code>3185ecf</code></a> Update "only-" actions to node20</li> <li><a href="https://github.com/actions/cache/commit/25618a0a675e8447e5ffc8ed9b7ddb2aaf927f65"><code>25618a0</code></a> Bump version</li> <li>Additional commits viewable in <a href="https://github.com/actions/cache/compare/v3...v4">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=actions/cache&package-manager=github_actions&previous-version=3&new-version=4)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>

Updates the L1 CloudFormation resource definitions with the latest changes from `@aws-cdk/aws-service-spec` **L1 CloudFormation resource definition changes:** ``` ├[~] service aws-appmesh │ └ resources │ └[~] resource AWS::AppMesh::Mesh │ └ types │ └[~] type MeshSpec │ └ properties │ └ ServiceDiscovery: (documentation changed) ├[~] service aws-aps │ └ resources │ └[~] resource AWS::APS::RuleGroupsNamespace │ └ properties │ └ Workspace: - string (required) │ + string (required, immutable) ├[~] service aws-backup │ └ resources │ └[~] resource AWS::Backup::Framework │ └ types │ └[~] type FrameworkControl │ └ properties │ └ ControlScope: (documentation changed) ├[~] service aws-chatbot │ └ resources │ ├[~] resource AWS::Chatbot::MicrosoftTeamsChannelConfiguration │ │ └ - documentation: The `AWS::Chatbot::MicrosoftTeamsChannelConfiguration` resource configures a Microsoft Teams channel to allow users to use AWS Chatbot with AWS CloudFormation templates. │ │ This resource requires some setup to be done in the AWS Chatbot console. To provide the required Microsoft Teams team and tenant IDs, you must perform the initial authorization flow with Microsoft Teams in the AWS Chatbot console, then copy and paste the IDs from the console. For more details, see steps 1-4 in [Setting Up AWS Chatbot with Microsoft Teams](https://docs.aws.amazon.com/chatbot/latest/adminguide/teams-setup.html#teams-client-setup) in the *AWS Chatbot Administrator Guide* . │ │ + documentation: The `AWS::Chatbot::MicrosoftTeamsChannelConfiguration` resource configures a Microsoft Teams channel to allow users to use AWS Chatbot with AWS CloudFormation templates. │ │ This resource requires some setup to be done in the AWS Chatbot console. To provide the required Microsoft Teams team and tenant IDs, you must perform the initial authorization flow with Microsoft Teams in the AWS Chatbot console, then copy and paste the IDs from the console. For more details, see [Configure a Microsoft Teams client](https://docs.aws.amazon.com/chatbot/latest/adminguide/teams-setup.html#teams-client-setup) in the *AWS Chatbot Administrator Guide* . │ └[~] resource AWS::Chatbot::SlackChannelConfiguration │ └ - documentation: The `AWS::Chatbot::SlackChannelConfiguration` resource configures a Slack channel to allow users to use AWS Chatbot with AWS CloudFormation templates. │ This resource requires some setup to be done in the AWS Chatbot console. To provide the required Slack workspace ID, you must perform the initial authorization flow with Slack in the AWS Chatbot console, then copy and paste the workspace ID from the console. For more details, see steps 1-4 in [Setting Up AWS Chatbot with Slack](https://docs.aws.amazon.com/chatbot/latest/adminguide/setting-up.html#Setup_intro) in the *AWS Chatbot User Guide* . │ + documentation: The `AWS::Chatbot::SlackChannelConfiguration` resource configures a Slack channel to allow users to use AWS Chatbot with AWS CloudFormation templates. │ This resource requires some setup to be done in the AWS Chatbot console. To provide the required Slack workspace ID, you must perform the initial authorization flow with Slack in the AWS Chatbot console, then copy and paste the workspace ID from the console. For more details, see [Configure a Slack client](https://docs.aws.amazon.com/chatbot/latest/adminguide/slack-setup.html#slack-client-setup) in the *AWS Chatbot User Guide* . ├[~] service aws-cleanrooms │ └ resources │ └[~] resource AWS::CleanRooms::ConfiguredTable │ └ types │ └[~] type AnalysisRuleCustom │ └ properties │ ├ AllowedAnalyses: (documentation changed) │ └ AllowedAnalysisProviders: (documentation changed) ├[~] service aws-cognito │ └ resources │ ├[~] resource AWS::Cognito::IdentityPool │ │ └ types │ │ └[~] type CognitoIdentityProvider │ │ └ properties │ │ ├ ClientId: - string │ │ │ + string (required) │ │ └ ProviderName: - string │ │ + string (required) │ └[~] resource AWS::Cognito::IdentityPoolRoleAttachment │ └ properties │ └ Roles: - json │ + Map<string, string> ⇐ json ├[~] service aws-config │ └ resources │ └[~] resource AWS::Config::ConfigurationRecorder │ └ types │ ├[~] type ExclusionByResourceTypes │ │ └ - documentation: Specifies whether the configuration recorder excludes certain resource types from being recorded. Use the `resourceTypes` field to enter a comma-separated list of resource types you want to exclude from recording. │ │ By default, when AWS Config adds support for a new resource type in the Region where you set up the configuration recorder, including global resource types, AWS Config starts recording resources of that type automatically. │ │ > *How to use the exclusion recording strategy* │ │ > │ │ > To use this option, you must set the `useOnly` field of [RecordingStrategy](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) to `EXCLUSION_BY_RESOURCE_TYPES` . │ │ > │ │ > AWS Config will then record configuration changes for all supported resource types, except the resource types that you specify to exclude from being recorded. │ │ > │ │ > *Global resource types and the exclusion recording strategy* │ │ > │ │ > Unless specifically listed as exclusions, `AWS::RDS::GlobalCluster` will be recorded automatically in all supported AWS Config Regions were the configuration recorder is enabled. │ │ > │ │ > IAM users, groups, roles, and customer managed policies will be recorded in the Region where you set up the configuration recorder if that is a Region where AWS Config was available before February 2022. You cannot be record the global IAM resouce types in Regions supported by AWS Config after February 2022. This list where you cannot record the global IAM resource types includes the following Regions: │ │ > │ │ > - Asia Pacific (Hyderabad) │ │ > - Asia Pacific (Melbourne) │ │ > - Europe (Spain) │ │ > - Europe (Zurich) │ │ > - Israel (Tel Aviv) │ │ > - Middle East (UAE) │ │ + documentation: Specifies whether the configuration recorder excludes certain resource types from being recorded. Use the `ResourceTypes` field to enter a comma-separated list of resource types you want to exclude from recording. │ │ By default, when AWS Config adds support for a new resource type in the Region where you set up the configuration recorder, including global resource types, AWS Config starts recording resources of that type automatically. │ │ > *How to use the exclusion recording strategy* │ │ > │ │ > To use this option, you must set the `useOnly` field of [RecordingStrategy](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) to `EXCLUSION_BY_RESOURCE_TYPES` . │ │ > │ │ > AWS Config will then record configuration changes for all supported resource types, except the resource types that you specify to exclude from being recorded. │ │ > │ │ > *Global resource types and the exclusion recording strategy* │ │ > │ │ > Unless specifically listed as exclusions, `AWS::RDS::GlobalCluster` will be recorded automatically in all supported AWS Config Regions were the configuration recorder is enabled. │ │ > │ │ > IAM users, groups, roles, and customer managed policies will be recorded in the Region where you set up the configuration recorder if that is a Region where AWS Config was available before February 2022. You cannot be record the global IAM resouce types in Regions supported by AWS Config after February 2022. This list where you cannot record the global IAM resource types includes the following Regions: │ │ > │ │ > - Asia Pacific (Hyderabad) │ │ > - Asia Pacific (Melbourne) │ │ > - Canada West (Calgary) │ │ > - Europe (Spain) │ │ > - Europe (Zurich) │ │ > - Israel (Tel Aviv) │ │ > - Middle East (UAE) │ ├[~] type RecordingGroup │ │ ├ - documentation: Specifies which resource types AWS Config records for configuration changes. By default, AWS Config records configuration changes for all current and future supported resource types in the AWS Region where you have enabled AWS Config , excluding the global IAM resource types: IAM users, groups, roles, and customer managed policies. │ │ │ In the recording group, you specify whether you want to record all supported current and future supported resource types or to include or exclude specific resources types. For a list of supported resource types, see [Supported Resource Types](https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html#supported-resources) in the *AWS Config developer guide* . │ │ │ If you don't want AWS Config to record all current and future supported resource types (excluding the global IAM resource types), use one of the following recording strategies: │ │ │ - *Record all current and future resource types with exclusions* ( `EXCLUSION_BY_RESOURCE_TYPES` ), or │ │ │ - *Record specific resource types* ( `INCLUSION_BY_RESOURCE_TYPES` ). │ │ │ If you use the recording strategy to *Record all current and future resource types* ( `ALL_SUPPORTED_RESOURCE_TYPES` ), you can use the flag `includeGlobalResourceTypes` to include the global IAM resource types in your recording. │ │ │ > *Aurora global clusters are recorded in all enabled Regions* │ │ │ > │ │ │ > The `AWS::RDS::GlobalCluster` resource type will be recorded in all supported AWS Config Regions where the configuration recorder is enabled. │ │ │ > │ │ │ > If you do not want to record `AWS::RDS::GlobalCluster` in all enabled Regions, use the `EXCLUSION_BY_RESOURCE_TYPES` or `INCLUSION_BY_RESOURCE_TYPES` recording strategy. │ │ │ + documentation: Specifies which resource types AWS Config records for configuration changes. By default, AWS Config records configuration changes for all current and future supported resource types in the AWS Region where you have enabled AWS Config , excluding the global IAM resource types: IAM users, groups, roles, and customer managed policies. │ │ │ In the recording group, you specify whether you want to record all supported current and future supported resource types or to include or exclude specific resources types. For a list of supported resource types, see [Supported Resource Types](https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html#supported-resources) in the *AWS Config developer guide* . │ │ │ If you don't want AWS Config to record all current and future supported resource types (excluding the global IAM resource types), use one of the following recording strategies: │ │ │ - *Record all current and future resource types with exclusions* ( `EXCLUSION_BY_RESOURCE_TYPES` ), or │ │ │ - *Record specific resource types* ( `INCLUSION_BY_RESOURCE_TYPES` ). │ │ │ If you use the recording strategy to *Record all current and future resource types* ( `ALL_SUPPORTED_RESOURCE_TYPES` ), you can use the flag `IncludeGlobalResourceTypes` to include the global IAM resource types in your recording. │ │ │ > *Aurora global clusters are recorded in all enabled Regions* │ │ │ > │ │ │ > The `AWS::RDS::GlobalCluster` resource type will be recorded in all supported AWS Config Regions where the configuration recorder is enabled. │ │ │ > │ │ │ > If you do not want to record `AWS::RDS::GlobalCluster` in all enabled Regions, use the `EXCLUSION_BY_RESOURCE_TYPES` or `INCLUSION_BY_RESOURCE_TYPES` recording strategy. │ │ └ properties │ │ ├ IncludeGlobalResourceTypes: (documentation changed) │ │ ├ RecordingStrategy: (documentation changed) │ │ └ ResourceTypes: (documentation changed) │ └[~] type RecordingStrategy │ └ properties │ └ UseOnly: (documentation changed) ├[~] service aws-connect │ └ resources │ └[~] resource AWS::Connect::Rule │ └ types │ └[~] type Actions │ └ properties │ ├[-] EndAssociatedTaskActions: Array<json> │ └[+] EndAssociatedTasksActions: Array<json> ├[+] service aws-datazone │ ├ capitalized: DataZone │ │ cloudFormationNamespace: AWS::DataZone │ │ name: aws-datazone │ │ shortName: datazone │ └ resources │ ├resource AWS::DataZone::DataSource │ │├ name: DataSource │ ││ cloudFormationType: AWS::DataZone::DataSource │ ││ documentation: Definition of AWS::DataZone::DataSource Resource Type │ │├ properties │ ││ ├AssetFormsInput: Array<FormInput> │ ││ ├Description: string │ ││ ├DomainIdentifier: string (required, immutable) │ ││ ├EnableSetting: string │ ││ ├EnvironmentIdentifier: string (required, immutable) │ ││ ├Configuration: DataSourceConfigurationInput │ ││ ├Name: string (required) │ ││ ├ProjectIdentifier: string (required, immutable) │ ││ ├PublishOnImport: boolean │ ││ ├Recommendation: RecommendationConfiguration │ ││ ├Schedule: ScheduleConfiguration │ ││ └Type: string (required, immutable) │ │├ attributes │ ││ ├CreatedAt: string │ ││ ├DomainId: string │ ││ ├EnvironmentId: string │ ││ ├Id: string │ ││ ├LastRunAssetCount: number │ ││ ├LastRunAt: string │ ││ ├LastRunStatus: string │ ││ ├ProjectId: string │ ││ ├Status: string │ ││ └UpdatedAt: string │ │└ types │ │ ├type FormInput │ │ │├ documentation: The details of a metadata form. │ │ ││ name: FormInput │ │ │└ properties │ │ │ ├FormName: string (required) │ │ │ ├TypeIdentifier: string │ │ │ ├TypeRevision: string │ │ │ └Content: string │ │ ├type DataSourceConfigurationInput │ │ │├ name: DataSourceConfigurationInput │ │ │└ properties │ │ │ ├GlueRunConfiguration: GlueRunConfigurationInput │ │ │ └RedshiftRunConfiguration: RedshiftRunConfigurationInput │ │ ├type GlueRunConfigurationInput │ │ │├ name: GlueRunConfigurationInput │ │ │└ properties │ │ │ ├DataAccessRole: string │ │ │ └RelationalFilterConfigurations: Array<RelationalFilterConfiguration> (required) │ │ ├type RelationalFilterConfiguration │ │ │├ documentation: The relational filter configuration for the data source. │ │ ││ name: RelationalFilterConfiguration │ │ │└ properties │ │ │ ├DatabaseName: string (required) │ │ │ ├SchemaName: string │ │ │ └FilterExpressions: Array<FilterExpression> │ │ ├type FilterExpression │ │ │├ documentation: The search filter expression. │ │ ││ name: FilterExpression │ │ │└ properties │ │ │ ├Type: string (required) │ │ │ └Expression: string (required) │ │ ├type RedshiftRunConfigurationInput │ │ │├ documentation: The configuration details of the Amazon Redshift data source. │ │ ││ name: RedshiftRunConfigurationInput │ │ │└ properties │ │ │ ├DataAccessRole: string │ │ │ ├RelationalFilterConfigurations: Array<RelationalFilterConfiguration> (required) │ │ │ ├RedshiftCredentialConfiguration: RedshiftCredentialConfiguration (required) │ │ │ └RedshiftStorage: RedshiftStorage (required) │ │ ├type RedshiftCredentialConfiguration │ │ │├ documentation: The ARN of a secret manager for an Amazon Redshift cluster. │ │ ││ name: RedshiftCredentialConfiguration │ │ │└ properties │ │ │ └SecretManagerArn: string (required) │ │ ├type RedshiftStorage │ │ │├ documentation: The details of the Amazon Redshift cluster source. │ │ ││ name: RedshiftStorage │ │ │└ properties │ │ │ ├RedshiftClusterSource: RedshiftClusterStorage │ │ │ └RedshiftServerlessSource: RedshiftServerlessStorage │ │ ├type RedshiftClusterStorage │ │ │├ documentation: The name of an Amazon Redshift cluster. │ │ ││ name: RedshiftClusterStorage │ │ │└ properties │ │ │ └ClusterName: string (required) │ │ ├type RedshiftServerlessStorage │ │ │├ documentation: The details of the Amazon Redshift Serverless workgroup storage. │ │ ││ name: RedshiftServerlessStorage │ │ │└ properties │ │ │ └WorkgroupName: string (required) │ │ ├type RecommendationConfiguration │ │ │├ documentation: The recommendation to be updated as part of the UpdateDataSource action. │ │ ││ name: RecommendationConfiguration │ │ │└ properties │ │ │ └EnableBusinessNameGeneration: boolean │ │ └type ScheduleConfiguration │ │ ├ documentation: The schedule of the data source runs. │ │ │ name: ScheduleConfiguration │ │ └ properties │ │ ├Timezone: string │ │ └Schedule: string │ ├resource AWS::DataZone::Domain │ │├ name: Domain │ ││ cloudFormationType: AWS::DataZone::Domain │ ││ documentation: A domain is an organizing entity for connecting together assets, users, and their projects │ ││ tagInformation: {"tagPropertyName":"Tags","variant":"standard"} │ │├ properties │ ││ ├Description: string │ ││ ├DomainExecutionRole: string (required) │ ││ ├KmsKeyIdentifier: string (immutable) │ ││ ├Name: string (required) │ ││ ├SingleSignOn: SingleSignOn │ ││ └Tags: Array<tag> │ │├ attributes │ ││ ├Arn: string │ ││ ├CreatedAt: string │ ││ ├Id: string │ ││ ├LastUpdatedAt: string │ ││ ├ManagedAccountId: string │ ││ ├PortalUrl: string │ ││ └Status: string │ │└ types │ │ └type SingleSignOn │ │ ├ documentation: The single-sign on configuration of the Amazon DataZone domain. │ │ │ name: SingleSignOn │ │ └ properties │ │ ├Type: string │ │ └UserAssignment: string │ ├resource AWS::DataZone::Environment │ │├ name: Environment │ ││ cloudFormationType: AWS::DataZone::Environment │ ││ documentation: Definition of AWS::DataZone::Environment Resource Type │ │├ properties │ ││ ├Description: string │ ││ ├DomainIdentifier: string (required, immutable) │ ││ ├EnvironmentProfileIdentifier: string (required, immutable) │ ││ ├GlossaryTerms: Array<string> │ ││ ├Name: string (required) │ ││ ├ProjectIdentifier: string (required, immutable) │ ││ └UserParameters: Array<EnvironmentParameter> (immutable) │ │├ attributes │ ││ ├AwsAccountId: string │ ││ ├AwsAccountRegion: string │ ││ ├CreatedAt: string │ ││ ├CreatedBy: string │ ││ ├DomainId: string │ ││ ├EnvironmentBlueprintId: string │ ││ ├EnvironmentProfileId: string │ ││ ├Id: string │ ││ ├ProjectId: string │ ││ ├Provider: string │ ││ ├Status: string │ ││ └UpdatedAt: string │ │└ types │ │ └type EnvironmentParameter │ │ ├ documentation: The parameter details of an environment. │ │ │ name: EnvironmentParameter │ │ └ properties │ │ ├Name: string │ │ └Value: string │ ├resource AWS::DataZone::EnvironmentBlueprintConfiguration │ │├ name: EnvironmentBlueprintConfiguration │ ││ cloudFormationType: AWS::DataZone::EnvironmentBlueprintConfiguration │ ││ documentation: Definition of AWS::DataZone::EnvironmentBlueprintConfiguration Resource Type │ │├ properties │ ││ ├RegionalParameters: Array<RegionalParameter> │ ││ ├ProvisioningRoleArn: string │ ││ ├EnabledRegions: Array<string> (required) │ ││ ├EnvironmentBlueprintIdentifier: string (required, immutable) │ ││ ├DomainIdentifier: string (required, immutable) │ ││ └ManageAccessRoleArn: string │ │├ attributes │ ││ ├CreatedAt: string │ ││ ├DomainId: string │ ││ ├EnvironmentBlueprintId: string │ ││ └UpdatedAt: string │ │└ types │ │ └type RegionalParameter │ │ ├ name: RegionalParameter │ │ └ properties │ │ ├Parameters: Map<string, string> │ │ └Region: string │ ├resource AWS::DataZone::EnvironmentProfile │ │├ name: EnvironmentProfile │ ││ cloudFormationType: AWS::DataZone::EnvironmentProfile │ ││ documentation: AWS Datazone Environment Profile is pre-configured set of resources and blueprints that provide reusable templates for creating environments. │ │├ properties │ ││ ├AwsAccountId: string │ ││ ├AwsAccountRegion: string │ ││ ├Description: string │ ││ ├DomainIdentifier: string (required, immutable) │ ││ ├EnvironmentBlueprintIdentifier: string (required, immutable) │ ││ ├Name: string (required) │ ││ ├ProjectIdentifier: string (required, immutable) │ ││ └UserParameters: Array<EnvironmentParameter> │ │├ attributes │ ││ ├CreatedAt: string │ ││ ├CreatedBy: string │ ││ ├DomainId: string │ ││ ├EnvironmentBlueprintId: string │ ││ ├Id: string │ ││ ├ProjectId: string │ ││ └UpdatedAt: string │ │└ types │ │ └type EnvironmentParameter │ │ ├ documentation: The parameter details of an environment profile. │ │ │ name: EnvironmentParameter │ │ └ properties │ │ ├Name: string │ │ └Value: string │ ├resource AWS::DataZone::Project │ │├ name: Project │ ││ cloudFormationType: AWS::DataZone::Project │ ││ documentation: Amazon DataZone projects are business use case–based groupings of people, assets (data), and tools used to simplify access to the AWS analytics. │ │├ properties │ ││ ├Description: string │ ││ ├DomainIdentifier: string (required, immutable) │ ││ ├GlossaryTerms: Array<string> │ ││ └Name: string (required) │ │└ attributes │ │ ├Id: string │ │ ├CreatedAt: string │ │ ├CreatedBy: string │ │ ├DomainId: string │ │ └LastUpdatedAt: string │ └resource AWS::DataZone::SubscriptionTarget │ ├ name: SubscriptionTarget │ │ cloudFormationType: AWS::DataZone::SubscriptionTarget │ │ documentation: Subscription targets enables one to access the data to which you have subscribed in your projects. │ ├ properties │ │ ├ApplicableAssetTypes: Array<string> (required) │ │ ├AuthorizedPrincipals: Array<string> (required) │ │ ├DomainIdentifier: string (required, immutable) │ │ ├EnvironmentIdentifier: string (required, immutable) │ │ ├ManageAccessRole: string (required) │ │ ├Name: string (required) │ │ ├Provider: string │ │ ├SubscriptionTargetConfig: Array<SubscriptionTargetForm> (required) │ │ └Type: string (required, immutable) │ ├ attributes │ │ ├CreatedAt: string │ │ ├CreatedBy: string │ │ ├DomainId: string │ │ ├EnvironmentId: string │ │ ├Id: string │ │ ├ProjectId: string │ │ ├UpdatedAt: string │ │ └UpdatedBy: string │ └ types │ └type SubscriptionTargetForm │ ├ documentation: The details of the subscription target configuration. │ │ name: SubscriptionTargetForm │ └ properties │ ├FormName: string (required) │ └Content: string (required) ├[~] service aws-ec2 │ └ resources │ └[~] resource AWS::EC2::IPAMPool │ ├ properties │ │ └ SourceResource: (documentation changed) │ └ types │ └[~] type SourceResource │ ├ - documentation: The resource associated with this pool's space. Depending on the ResourceType, setting a SourceResource changes which space can be provisioned in this pool and which types of resources can receive allocations │ │ + documentation: The resource used to provision CIDRs to a resource planning pool. │ └ properties │ ├ ResourceId: (documentation changed) │ ├ ResourceOwner: (documentation changed) │ ├ ResourceRegion: (documentation changed) │ └ ResourceType: (documentation changed) ├[~] service aws-ecs │ └ resources │ ├[~] resource AWS::ECS::Service │ │ ├ properties │ │ │ └ VolumeConfigurations: (documentation changed) │ │ └ types │ │ ├[~] type EBSTagSpecification │ │ │ ├ - documentation: undefined │ │ │ │ + documentation: The tag specifications of an Amazon EBS volume. │ │ │ └ properties │ │ │ ├ PropagateTags: (documentation changed) │ │ │ ├ ResourceType: (documentation changed) │ │ │ └ Tags: (documentation changed) │ │ ├[~] type ServiceConnectService │ │ │ └ properties │ │ │ ├[+] Timeout: TimeoutConfiguration │ │ │ └[+] Tls: ServiceConnectTlsConfiguration │ │ ├[+] type ServiceConnectTlsCertificateAuthority │ │ │ ├ name: ServiceConnectTlsCertificateAuthority │ │ │ └ properties │ │ │ └AwsPcaAuthorityArn: string │ │ ├[+] type ServiceConnectTlsConfiguration │ │ │ ├ name: ServiceConnectTlsConfiguration │ │ │ └ properties │ │ │ ├IssuerCertificateAuthority: ServiceConnectTlsCertificateAuthority (required) │ │ │ ├KmsKey: string │ │ │ └RoleArn: string │ │ ├[~] type ServiceManagedEBSVolumeConfiguration │ │ │ ├ - documentation: undefined │ │ │ │ + documentation: The configuration for the Amazon EBS volume that Amazon ECS creates and manages on your behalf. These settings are used to create each Amazon EBS volume, with one volume created for each task in the service. │ │ │ │ Many of these parameters map 1:1 with the Amazon EBS `CreateVolume` API request parameters. │ │ │ └ properties │ │ │ ├ Encrypted: (documentation changed) │ │ │ ├ FilesystemType: (documentation changed) │ │ │ ├ Iops: (documentation changed) │ │ │ ├ KmsKeyId: (documentation changed) │ │ │ ├ RoleArn: (documentation changed) │ │ │ ├ SizeInGiB: (documentation changed) │ │ │ ├ SnapshotId: (documentation changed) │ │ │ ├ TagSpecifications: (documentation changed) │ │ │ ├ Throughput: (documentation changed) │ │ │ └ VolumeType: (documentation changed) │ │ ├[~] type ServiceVolumeConfiguration │ │ │ ├ - documentation: undefined │ │ │ │ + documentation: The configuration for a volume specified in the task definition as a volume that is configured at launch time. Currently, the only supported volume type is an Amazon EBS volume. │ │ │ └ properties │ │ │ ├ ManagedEBSVolume: (documentation changed) │ │ │ └ Name: (documentation changed) │ │ └[+] type TimeoutConfiguration │ │ ├ name: TimeoutConfiguration │ │ └ properties │ │ ├IdleTimeoutSeconds: integer │ │ └PerRequestTimeoutSeconds: integer │ └[~] resource AWS::ECS::TaskDefinition │ └ types │ └[~] type Volume │ ├ - documentation: The `Volume` property specifies a data volume used in a task definition. For tasks that use a Docker volume, specify a `DockerVolumeConfiguration` . For tasks that use a bind mount host volume, specify a `host` and optional `sourcePath` . For more information about `host` and optional `sourcePath` , see [Volumes](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#volumes) and [Using Data Volumes in Tasks](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/using_data_volumes.html) . │ │ + documentation: The data volume configuration for tasks launched using this task definition. Specifying a volume configuration in a task definition is optional. The volume configuration may contain multiple volumes but only one volume configured at launch is supported. Each volume defined in the volume configuration may only specify a `name` and one of either `configuredAtLaunch` , `dockerVolumeConfiguration` , `efsVolumeConfiguration` , `fsxWindowsFileServerVolumeConfiguration` , or `host` . If an empty volume configuration is specified, by default Amazon ECS uses a host volume. For more information, see [Using data volumes in tasks](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/using_data_volumes.html) . │ └ properties │ ├ ConfiguredAtLaunch: (documentation changed) │ └ Name: (documentation changed) ├[~] service aws-elasticloadbalancingv2 │ └ resources │ └[~] resource AWS::ElasticLoadBalancingV2::LoadBalancer │ └ properties │ └[+] EnforceSecurityGroupInboundRulesOnPrivateLinkTraffic: string ├[~] service aws-events │ └ resources │ └[~] resource AWS::Events::Rule │ └ types │ ├[~] type AppSyncParameters │ │ ├ - documentation: undefined │ │ │ + documentation: Contains the GraphQL operation to be parsed and executed, if the event target is an AWS AppSync API. │ │ └ properties │ │ └ GraphQLOperation: (documentation changed) │ └[~] type Target │ └ properties │ └ AppSyncParameters: (documentation changed) ├[~] service aws-internetmonitor │ └ resources │ └[~] resource AWS::InternetMonitor::Monitor │ └ types │ ├[~] type InternetMeasurementsLogDelivery │ │ └ properties │ │ └ S3Config: (documentation changed) │ └[~] type S3Config │ ├ - documentation: The configuration for publishing Amazon CloudWatch Internet Monitor internet measurements to Amazon S3. The configuration includes the bucket name and (optionally) bucket prefix for the S3 bucket to store the measurements, and the delivery status. The delivery status is `ENABLED` if you choose to deliver internet measurements to S3 logs, and `DISABLED` otherwise. │ │ The measurements are also published to Amazon CloudWatch Logs. │ │ + documentation: The configuration for publishing Amazon CloudWatch Internet Monitor internet measurements to Amazon S3. The configuration includes the bucket name and (optionally) prefix for the S3 bucket to store the measurements, and the delivery status. The delivery status is `ENABLED` or `DISABLED` , depending on whether you choose to deliver internet measurements to S3 logs. │ └ properties │ ├ BucketName: (documentation changed) │ ├ BucketPrefix: (documentation changed) │ └ LogDeliveryStatus: (documentation changed) ├[~] service aws-iot │ └ resources │ ├[~] resource AWS::IoT::SoftwarePackage │ │ └ properties │ │ ├ Description: (documentation changed) │ │ ├ PackageName: (documentation changed) │ │ └ Tags: (documentation changed) │ └[~] resource AWS::IoT::SoftwarePackageVersion │ └ properties │ ├ Attributes: (documentation changed) │ ├ Description: (documentation changed) │ ├ PackageName: (documentation changed) │ ├ Tags: (documentation changed) │ └ VersionName: (documentation changed) ├[~] service aws-ivs │ └ resources │ └[+] resource AWS::IVS::Stage │ ├ name: Stage │ │ cloudFormationType: AWS::IVS::Stage │ │ documentation: Resource Definition for type AWS::IVS::Stage. │ │ tagInformation: {"tagPropertyName":"Tags","variant":"standard"} │ ├ properties │ │ ├Name: string │ │ └Tags: Array<tag> │ └ attributes │ ├Arn: string │ └ActiveSessionId: string (default="") ├[~] service aws-lakeformation │ └ resources │ └[~] resource AWS::LakeFormation::Resource │ └ properties │ └[+] HybridAccessEnabled: boolean ├[~] service aws-location │ └ resources │ └[~] resource AWS::Location::Map │ └ types │ └[~] type MapConfiguration │ └ properties │ └[+] CustomLayers: Array<string> ├[~] service aws-logs │ └ resources │ └[~] resource AWS::Logs::AccountPolicy │ ├ - documentation: Creates or updates an account-level data protection policy that applies to all log groups in the account. A data protection policy can help safeguard sensitive data that's ingested by your log groups by auditing and masking the sensitive log data. Each account can have only one account-level policy. │ │ > Sensitive data is detected and masked when it is ingested into a log group. When you set a data protection policy, log events ingested into the log groups before that time are not masked. │ │ If you create a data protection policy for your whole account, it applies to both existing log groups and all log groups that are created later in this account. The account policy is applied to existing log groups with eventual consistency. It might take up to 5 minutes before sensitive data in existing log groups begins to be masked. │ │ By default, when a user views a log event that includes masked data, the sensitive data is replaced by asterisks. A user who has the `logs:Unmask` permission can use a [GetLogEvents](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_GetLogEvents.html) or [FilterLogEvents](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_FilterLogEvents.html) operation with the `unmask` parameter set to `true` to view the unmasked log events. Users with the `logs:Unmask` can also view unmasked data in the CloudWatch Logs console by running a CloudWatch Logs Insights query with the `unmask` query command. │ │ For more information, including a list of types of data that can be audited and masked, see [Protect sensitive log data with masking](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/mask-sensitive-log-data.html) . │ │ To create an account-level policy, you must be signed on with the `logs:PutDataProtectionPolicy` and `logs:PutAccountPolicy` permissions. │ │ An account-level policy applies to all log groups in the account. You can also create a data protection policy that applies to just one log group. If a log group has its own data protection policy and the account also has an account-level data protection policy, then the two policies are cumulative. Any sensitive term specified in either policy is masked. │ │ + documentation: Creates or updates an aaccount-level data protection policy or subscription filter policy that applies to all log groups or a subset of log groups in the account. │ │ *Data protection policy* │ │ A data protection policy can help safeguard sensitive data that's ingested by your log groups by auditing and masking the sensitive log data. Each account can have only one account-level data protection policy. │ │ > Sensitive data is detected and masked when it is ingested into a log group. When you set a data protection policy, log events ingested into the log groups before that time are not masked. │ │ If you create a data protection policy for your whole account, it applies to both existing log groups and all log groups that are created later in this account. The account policy is applied to existing log groups with eventual consistency. It might take up to 5 minutes before sensitive data in existing log groups begins to be masked. │ │ By default, when a user views a log event that includes masked data, the sensitive data is replaced by asterisks. A user who has the `logs:Unmask` permission can use a [GetLogEvents](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_GetLogEvents.html) or [FilterLogEvents](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_FilterLogEvents.html) operation with the `unmask` parameter set to `true` to view the unmasked log events. Users with the `logs:Unmask` can also view unmasked data in the CloudWatch Logs console by running a CloudWatch Logs Insights query with the `unmask` query command. │ │ For more information, including a list of types of data that can be audited and masked, see [Protect sensitive log data with masking](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/mask-sensitive-log-data.html) . │ │ To create an account-level policy, you must be signed on with the `logs:PutDataProtectionPolicy` and `logs:PutAccountPolicy` permissions. │ │ An account-level policy applies to all log groups in the account. You can also create a data protection policy that applies to just one log group. If a log group has its own data protection policy and the account also has an account-level data protection policy, then the two policies are cumulative. Any sensitive term specified in either policy is masked. │ │ *Subscription filter policy* │ │ A subscription filter policy sets up a real-time feed of log events from CloudWatch Logs to other AWS services. Account-level subscription filter policies apply to both existing log groups and log groups that are created later in this account. Supported destinations are Kinesis Data Streams , Kinesis Data Firehose , and Lambda . When log events are sent to the receiving service, they are Base64 encoded and compressed with the GZIP format. │ │ The following destinations are supported for subscription filters: │ │ - An Kinesis Data Streams data stream in the same account as the subscription policy, for same-account delivery. │ │ - An Kinesis Data Firehose data stream in the same account as the subscription policy, for same-account delivery. │ │ - A Lambda function in the same account as the subscription policy, for same-account delivery. │ │ - A logical destination in a different account created with [PutDestination](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDestination.html) , for cross-account delivery. Kinesis Data Streams and Kinesis Data Firehose are supported as logical destinations. │ │ Each account can have one account-level subscription filter policy. If you are updating an existing filter, you must specify the correct name in `PolicyName` . To perform a `PutAccountPolicy` subscription filter operation for any destination except a Lambda function, you must also have the `iam:PassRole` permission. │ └ properties │ ├ PolicyDocument: (documentation changed) │ ├ PolicyType: (documentation changed) │ ├ Scope: (documentation changed) │ └[+] SelectionCriteria: string ├[~] service aws-medialive │ └ resources │ └[~] resource AWS::MediaLive::Channel │ └ types │ ├[+] type ColorCorrection │ │ ├ name: ColorCorrection │ │ └ properties │ │ ├OutputColorSpace: string │ │ ├InputColorSpace: string │ │ └Uri: string │ ├[+] type ColorCorrectionSettings │ │ ├ name: ColorCorrectionSettings │ │ └ properties │ │ └GlobalColorCorrections: Array<ColorCorrection> │ └[~] type EncoderSettings │ └ properties │ └[+] ColorCorrectionSettings: ColorCorrectionSettings ├[~] service aws-networkfirewall │ └ resources │ ├[~] resource AWS::NetworkFirewall::FirewallPolicy │ │ └ types │ │ └[~] type StatefulEngineOptions │ │ └ properties │ │ └ RuleOrder: (documentation changed) │ ├[~] resource AWS::NetworkFirewall::RuleGroup │ │ └ types │ │ └[~] type RuleOption │ │ └ properties │ │ └ Keyword: (documentation changed) │ └[~] resource AWS::NetworkFirewall::TLSInspectionConfiguration │ ├ - documentation: The object that defines a TLS inspection configuration. This, along with `TLSInspectionConfigurationResponse` , define the TLS inspection configuration. You can retrieve all objects for a TLS inspection configuration by calling `DescribeTLSInspectionConfiguration` . │ │ AWS Network Firewall uses a TLS inspection configuration to decrypt traffic. Network Firewall re-encrypts the traffic before sending it to its destination. │ │ To use a TLS inspection configuration, you add it to a new Network Firewall firewall policy, then you apply the firewall policy to a firewall. Network Firewall acts as a proxy service to decrypt and inspect the traffic traveling through your firewalls. You can reference a TLS inspection configuration from more than one firewall policy, and you can use a firewall policy in more than one firewall. For more information about using TLS inspection configurations, see [Inspecting SSL/TLS traffic with TLS │ │ inspection configurations](https://docs.aws.amazon.com/network-firewall/latest/developerguide/tls-inspection.html) in the *AWS Network Firewall Developer Guide* . │ │ + documentation: The object that defines a TLS inspection configuration. │ │ AWS Network Firewall uses a TLS inspection configuration to decrypt traffic. Network Firewall re-encrypts the traffic before sending it to its destination. │ │ To use a TLS inspection configuration, you add it to a new Network Firewall firewall policy, then you apply the firewall policy to a firewall. Network Firewall acts as a proxy service to decrypt and inspect the traffic traveling through your firewalls. You can reference a TLS inspection configuration from more than one firewall policy, and you can use a firewall policy in more than one firewall. For more information about using TLS inspection configurations, see [Inspecting SSL/TLS traffic with TLS inspection configurations](https://docs.aws.amazon.com/network-firewall/latest/developerguide/tls-inspection.html) in the *AWS Network Firewall Developer Guide* . │ ├ properties │ │ └ TLSInspectionConfiguration: (documentation changed) │ └ types │ ├[~] type Address │ │ └ - documentation: A single IP address specification. This is used in the `MatchAttributes` source and destination specifications. │ │ + documentation: A single IP address specification. This is used in the [MatchAttributes](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-networkfirewall-rulegroup-matchattributes.html) source and destination settings. │ ├[~] type CheckCertificateRevocationStatus │ │ ├ - documentation: undefined │ │ │ + documentation: When enabled, Network Firewall checks if the server certificate presented by the server in the SSL/TLS connection has a revoked or unkown status. If the certificate has an unknown or revoked status, you must specify the actions that Network Firewall takes on outbound traffic. To check the certificate revocation status, you must also specify a `CertificateAuthorityArn` in [ServerCertificateConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-networkfirewall-servercertificateconfiguration.html) . │ │ └ properties │ │ ├ RevokedStatusAction: (documentation changed) │ │ └ UnknownStatusAction: (documentation changed) │ ├[~] type PortRange │ │ └ - documentation: A single port range specification. This is used for source and destination port ranges in the stateless rule `MatchAttributes` , `SourcePorts` , and `DestinationPorts` settings. │ │ + documentation: A single port range specification. This is used for source and destination port ranges in the stateless rule [MatchAttributes](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-networkfirewall-rulegroup-matchattributes.html) , `SourcePorts` , and `DestinationPorts` settings. │ ├[~] type ServerCertificate │ │ └ - documentation: Any AWS Certificate Manager (ACM) Secure Sockets Layer/Transport Layer Security (SSL/TLS) server certificate that's associated with a `ServerCertificateConfiguration` . Used in a `TLSInspectionConfiguration` for inspection of inbound traffic to your firewall. You must request or import a SSL/TLS certificate into ACM for each domain Network Firewall needs to decrypt and inspect. AWS Network Firewall uses the SSL/TLS certificates to decrypt specified inbound SSL/TLS traffic going to your firewall. For information about working with certificates in AWS Certificate Manager , see [Request a public certificate](https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-request-public.html) or [Importing certificates](https://docs.aws.amazon.com/acm/latest/userguide/import-certificate.html) in the *AWS Certificate Manager User Guide* . │ │ + documentation: Any AWS Certificate Manager (ACM) Secure Sockets Layer/Transport Layer Security (SSL/TLS) server certificate that's associated with a [ServerCertificateConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-networkfirewall-tlsinspectionconfiguration-servercertificateconfiguration.html) . Used in a [TLSInspectionConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-networkfirewall-tlsinspectionconfiguration.html) for inspection of inbound traffic to your firewall. You must request or import a SSL/TLS certificate into ACM for each domain Network Firewall needs to decrypt and inspect. AWS Network Firewall uses the SSL/TLS certificates to decrypt specified inbound SSL/TLS traffic going to your firewall. For information about working with certificates in AWS Certificate Manager , see [Request a public certificate](https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-request-public.html) or [Importing certificates](https://docs.aws.amazon.com/acm/latest/userguide/import-certificate.html) in the *AWS Certificate Manager User Guide* . │ ├[~] type ServerCertificateConfiguration │ │ ├ - documentation: Configures the AWS Certificate Manager certificates and scope that Network Firewall uses to decrypt and re-encrypt traffic using a `TLSInspectionConfiguration` . You can configure `ServerCertificates` for inbound SSL/TLS inspection, a `CertificateAuthorityArn` for outbound SSL/TLS inspection, or both. For information about working with certificates for TLS inspection, see [Using SSL/TLS server certficiates with TLS inspection configurations](https://docs.aws.amazon.com/network-firewall/latest/developerguide/tls-inspection-certificate-requirements.html) in the *AWS Network Firewall Developer Guide* . │ │ │ > If a server certificate that's associated with your `TLSInspectionConfiguration` is revoked, deleted, or expired it can result in client-side TLS errors. │ │ │ + documentation: Configures the AWS Certificate Manager certificates and scope that Network Firewall uses to decrypt and re-encrypt traffic using a [TLSInspectionConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-networkfirewall-tlsinspectionconfiguration.html) . You can configure `ServerCertificates` for inbound SSL/TLS inspection, a `CertificateAuthorityArn` for outbound SSL/TLS inspection, or both. For information about working with certificates for TLS inspection, see [Using SSL/TLS server certficiates with TLS inspection configurations](https://docs.aws.amazon.com/network-firewall/latest/developerguide/tls-inspection-certificate-requirements.html) in the *AWS Network Firewall Developer Guide* . │ │ │ > If a server certificate that's associated with your [TLSInspectionConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-networkfirewall-tlsinspectionconfiguration.html) is revoked, deleted, or expired it can result in client-side TLS errors. │ │ └ properties │ │ └ CheckCertificateRevocationStatus: (documentation changed) │ └[~] type TLSInspectionConfiguration │ └ - documentation: The object that defines a TLS inspection configuration. This, along with `TLSInspectionConfigurationResponse` , define the TLS inspection configuration. You can retrieve all objects for a TLS inspection configuration by calling `DescribeTLSInspectionConfiguration` . │ AWS Network Firewall uses a TLS inspection configuration to decrypt traffic. Network Firewall re-encrypts the traffic before sending it to its destination. │ To use a TLS inspection configuration, you add it to a new Network Firewall firewall policy, then you apply the firewall policy to a firewall. Network Firewall acts as a proxy service to decrypt and inspect the traffic traveling through your firewalls. You can reference a TLS inspection configuration from more than one firewall policy, and you can use a firewall policy in more than one firewall. For more information about using TLS inspection configurations, see [Inspecting SSL/TLS traffic with TLS │ inspection configurations](https://docs.aws.amazon.com/network-firewall/latest/developerguide/tls-inspection.html) in the *AWS Network Firewall Developer Guide* . │ + documentation: The object that defines a TLS inspection configuration. This defines the TLS inspection configuration. │ AWS Network Firewall uses a TLS inspection configuration to decrypt traffic. Network Firewall re-encrypts the traffic before sending it to its destination. │ To use a TLS inspection configuration, you add it to a new Network Firewall firewall policy, then you apply the firewall policy to a firewall. Network Firewall acts as a proxy service to decrypt and inspect the traffic traveling through your firewalls. You can reference a TLS inspection configuration from more than one firewall policy, and you can use a firewall policy in more than one firewall. For more information about using TLS inspection configurations, see [Inspecting SSL/TLS traffic with TLS inspection configurations](https://docs.aws.amazon.com/network-firewall/latest/developerguide/tls-inspection.html) in the *AWS Network Firewall Developer Guide* . ├[~] service aws-networkmanager │ └ resources │ └[~] resource AWS::NetworkManager::Device │ └ attributes │ └ CreatedAt: (documentation changed) ├[~] service aws-opensearchservice │ └ resources │ └[~] resource AWS::OpenSearchService::Domain │ └ types │ ├[~] type ClusterConfig │ │ └ properties │ │ └[+] ColdStorageOptions: ColdStorageOptions │ └[+] type ColdStorageOptions │ ├ documentation: Specifies options for cold storage. For more information, see [Cold storage for Amazon OpenSearch Service](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/cold-storage.html) . │ │ name: ColdStorageOptions │ └ properties │ └Enabled: boolean ├[~] service aws-rolesanywhere │ └ resources │ ├[~] resource AWS::RolesAnywhere::Profile │ │ ├ - documentation: Creates a *profile* , a list of the roles that Roles Anywhere service is trusted to assume. You use profiles to intersect permissions with IAM managed policies. │ │ │ *Required permissions:* `rolesanywhere:CreateProfile` . │ │ │ + documentation: Creates a Profile. │ │ └ properties │ │ ├ DurationSeconds: (documentation changed) │ │ ├ Enabled: (documentation changed) │ │ ├ ManagedPolicyArns: (documentation changed) │ │ ├ Name: (documentation changed) │ │ ├ RequireInstanceProperties: (documentation changed) │ │ ├ RoleArns: (documentation changed) │ │ ├ SessionPolicy: (documentation changed) │ │ └ Tags: (documentation changed) │ └[~] resource AWS::RolesAnywhere::TrustAnchor │ ├ - documentation: Creates a trust anchor to establish trust between IAM Roles Anywhere and your certificate authority (CA). You can define a trust anchor as a reference to an AWS Private Certificate Authority ( AWS Private CA ) or by uploading a CA certificate. Your AWS workloads can authenticate with the trust anchor using certificates issued by the CA in exchange for temporary AWS credentials. │ │ *Required permissions:* `rolesanywhere:CreateTrustAnchor` . │ │ + documentation: Creates a TrustAnchor. │ └ types │ ├[~] type Source │ │ ├ - documentation: The trust anchor type and its related certificate data. │ │ │ + documentation: Object representing the TrustAnchor type and its related certificate data. │ │ └ properties │ │ ├ SourceData: (documentation changed) │ │ └ SourceType: (documentation changed) │ └[~] type SourceData │ └ - documentation: The data field of the trust anchor depending on its type. │ + documentation: A union object representing the data field of the TrustAnchor depending on its type ├[~] service aws-s3 │ └ resources │ └[~] resource AWS::S3::Bucket │ └ types │ ├[~] type LoggingConfiguration │ │ └ properties │ │ └ TargetObjectKeyFormat: (documentation changed) │ ├[~] type PartitionedPrefix │ │ └ - documentation: Amazon S3 keys for log objects are partitioned in the following format: │ │ `[DestinationPrefix][SourceAccountId]/[SourceRegion]/[SourceBucket]/[YYYY]/[MM]/[DD]/[YYYY]-[MM]-[DD]-[hh]-[mm]-[ss]-[UniqueString]` │ │ + documentation: Amazon S3 keys for log objects are partitioned in the following format: │ │ `[DestinationPrefix][SourceAccountId]/[SourceRegion]/[SourceBucket]/[YYYY]/[MM]/[DD]/[YYYY]-[MM]-[DD]-[hh]-[mm]-[ss]-[UniqueString]` │ │ PartitionedPrefix defaults to EventTime delivery when server access logs are delivered. │ └[~] type ServerSideEncryptionByDefault │ └ properties │ └ KMSMasterKeyID: (documentation changed) ├[~] service aws-sagemaker │ └ resources │ ├[~] resource AWS::SageMaker::DataQualityJobDefinition │ │ └ types │ │ └[~] type VpcConfig │ │ └ - documentation: Specifies an Amazon Virtual Private Cloud (VPC) that your SageMaker jobs, hosted models, and compute resources have access to. You can control access to and from your resources by configuring a VPC. For more information, see [Give SageMaker Access to Resources in your Amazon VPC](https://docs.aws.amazon.com/https://docs.aws.amazon.com/sagemaker/latest/dg/infrastructure-give-access.html) . │ │ + documentation: Specifies an Amazon Virtual Private Cloud (VPC) that your SageMaker jobs, hosted models, and compute resources have access to. You can control access to and from your resources by configuring a VPC. For more information, see [Give SageMaker Access to Resources in your Amazon VPC](https://docs.aws.amazon.com/sagemaker/latest/dg/infrastructure-give-access.html) . │ ├[~] resource AWS::SageMaker::Model │ │ └ types │ │ ├[~] type ModelAccessConfig │ │ │ └ - documentation: The access configuration file for the ML model. You can explicitly accept the model end-user license agreement (EULA) within the `ModelAccessConfig` . For more information, see [End-user license agreements](https://docs.aws.amazon.com/sagemaker/latest/dg/jumpstart-foundation-models-choose.html#jumpstart-foundation-models-choose-eula) . │ │ │ + documentation: The access configuration file to control access to the ML model. You can explicitly accept the model end-user license agreement (EULA) within the `ModelAccessConfig` . │ │ │ - If you are a Jumpstart user, see the [End-user license agreements](https://docs.aws.amazon.com/sagemaker/latest/dg/jumpstart-foundation-models-choose.html#jumpstart-foundation-models-choose-eula) section for more details on accepting the EULA. │ │ │ - If you are an AutoML user, see the *Optional Parameters* section of *Create an AutoML job to fine-tune text generation models using the API* for details on [How to set the EULA acceptance when fine-tuning a model using the AutoML API](https://docs.aws.amazon.com/sagemaker/latest/dg/autopilot-create-experiment-finetune-llms.html#autopilot-llms-finetuning-api-optional-params) . │ │ └[~] type VpcConfig │ │ └ - documentation: Specifies an Amazon Virtual Private Cloud (VPC) that your SageMaker jobs, hosted models, and compute resources have access to. You can control access to and from your resources by configuring a VPC. For more information, see [Give SageMaker Access to Resources in your Amazon VPC](https://docs.aws.amazon.com/https://docs.aws.amazon.com/sagemaker/latest/dg/infrastructure-give-access.html) . │ │ + documentation: Specifies an Amazon Virtual Private Cloud (VPC) that your SageMaker jobs, hosted models, and compute resources have access to. You can control access to and from your resources by configuring a VPC. For more information, see [Give SageMaker Access to Resources in your Amazon VPC](https://docs.aws.amazon.com/sagemaker/latest/dg/infrastructure-give-access.html) . │ ├[~] resource AWS::SageMaker::ModelBiasJobDefinition │ │ └ types │ │ └[~] type VpcConfig │ │ └ - documentation: Specifies an Amazon Virtual Private Cloud (VPC) that your SageMaker jobs, hosted models, and compute resources have access to. You can control access to and from your resources by configuring a VPC. For more information, see [Give SageMaker Access to Resources in your Amazon VPC](https://docs.aws.amazon.com/https://docs.aws.amazon.com/sagemaker/latest/dg/infrastructure-give-access.html) . │ │ + documentation: Specifies an Amazon Virtual Private Cloud (VPC) that your SageMaker jobs, hosted models, and compute resources have access to. You can control access to and from your resources by configuring a VPC. For more information, see [Give SageMaker Access to Resources in your Amazon VPC](https://docs.aws.amazon.com/sagemaker/latest/dg/infrastructure-give-access.html) . │ ├[~] resource AWS::SageMaker::ModelExplainabilityJobDefinition │ │ └ types │ │ └[~] type VpcConfig │ │ └ - documentation: Specifies an Amazon Virtual Private Cloud (VPC) that your SageMaker jobs, hosted models, and compute resources have access to. You can control access to and from your resources by configuring a VPC. For more information, see [Give SageMaker Access to Resources in your Amazon VPC](https://docs.aws.amazon.com/https://docs.aws.amazon.com/sagemaker/latest/dg/infrastructure-give-access.html) . │ │ + documentation: Specifies an Amazon Virtual Private Cloud (VPC) that your SageMaker jobs, hosted models, and compute resources have access to. You can control access to and from your resources by configuring a VPC. For more information, see [Give SageMaker Access to Resources in your Amazon VPC](https://docs.aws.amazon.com/sagemaker/latest/dg/infrastructure-give-access.html) . │ ├[~] resource AWS::SageMaker::ModelQualityJobDefinition │ │ └ types │ │ └[~] type VpcConfig │ │ └ - documentation: Specifies an Amazon Virtual Private Cloud (VPC) that your SageMaker jobs, hosted models, and compute resources have access to. You can control access to and from your resources by configuring a VPC. For more information, see [Give SageMaker Access to Resources in your Amazon VPC](https://docs.aws.amazon.com/https://docs.aws.amazon.com/sagemaker/latest/dg/infrastructure-give-access.html) . │ │ + documentation: Specifies an Amazon Virtual Private Cloud (VPC) that your SageMaker jobs, hosted models, and compute resources have access to. You can control access to and from your resources by configuring a VPC. For more information, see [Give SageMaker Access to Resources in your Amazon VPC](https://docs.aws.amazon.com/sagemaker/latest/dg/infrastructure-give-access.html) . │ └[~] resource AWS::SageMaker::MonitoringSchedule │ └ types │ └[~] type VpcConfig │ └ - documentation: Specifies an Amazon Virtual Private Cloud (VPC) that your SageMaker jobs, hosted models, and compute resources have access to. You can control access to and from your resources by configuring a VPC. For more information, see [Give SageMaker Access to Resources in your Amazon VPC](https://docs.aws.amazon.com/https://docs.aws.amazon.com/sagemaker/latest/dg/infrastructure-give-access.html) . │ + documentation: Specifies an Amazon Virtual Private Cloud (VPC) that your SageMaker jobs, hosted models, and compute resources have access to. You can control access to and from your resources by configuring a VPC. For more information, see [Give SageMaker Access to Resources in your Amazon VPC](https://docs.aws.amazon.com/sagemaker/latest/dg/infrastructure-give-access.html) . ├[~] service aws-servicecatalogappregistry │ └ resources │ └[~] resource AWS::ServiceCatalogAppRegistry::Application │ └ attributes │ ├ ApplicationTagKey: (documentation changed) │ └ ApplicationTagValue: (documentation changed) └[~] service aws-workspaces └ resources └[~] resource AWS::WorkSpaces::Workspace └ types └[~] type WorkspaceProperties └ properties └ RunningMode: (documentation changed) ```

#28741 accidentally broke the logic that skips them ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…gGroup` (#28783) In #28737 we have deprecated `logRetention` in favor of `logGroup`. Some custom resources have made the `logRetention` property part of their own API and are now emitting deprecation warnings with no way forward to resolve them. So we are now also deprecating `logRetention` for any custom resources. Migrating log groups for custom resource would follow the same steps as outline in #28737. Given that custom resource logging is for debugging purposes and there are no guarantees about the output format, it should be possible to simply replace `logRetention` with a simple `logGroup` in most cases: ```ts const awsCustom1 = new cr.AwsCustomResource(this, 'API1', { // Replace this logRetention: logs.RetentionDays.ONE_WEEK, // with logGroup: new logs.LogGroup(this, 'AwsCustomResourceLogs', { retention: logs.RetentionDays.ONE_WEEK, }), }); ``` Fixes #28806 Fixes #28809 Related to #28737 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Adds support for Map's [ItemSelector](https://docs.aws.amazon.com/step-functions/latest/dg/input-output-itemselector.html) field and deprecates [parameters](https://docs.aws.amazon.com/step-functions/latest/dg/concepts-asl-use-map-state-inline.html#map-state-inline-deprecated-fields). With the release of Distributed Maps, AWS StepFunctions has released a few new fields, and deprecated two old ones for Map states. One of them was `Iterator` which was replaced with `ItemProcessor`, the other one is `Parameters` (replaced by `ItemSelector`). A similar PR was made to deprecate `Iterator` (#27913). While they are deprecated, these fields are still supported (PR reflects that) `ItemProcessor` and `ItemSelector` are both fields that are supported in `DISTRIBUTED` and `INLINE` mode, hence why they were added to the existing Map construct Closes #23265 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…#28605) I have enabled the configuration of flow logs for TransitGateway and TransitGatewayAttachment. Create flow logs from TransitGateway: ```ts declare const tgw: ec2.CfnTransitGateway; new ec2.FlowLog(this, 'TransitGatewayFlowLog', { resourceType: ec2.FlowLogResourceType.fromTransitGatewayId(tgw.ref) }) ``` Create flowlogs from TransitGatewayAttachment: ```ts declare const tgwAttachment: ec2.CfnTransitGatewayAttachment; new ec2.FlowLog(this, 'TransitGatewayAttachmentFlowLog', { resourceType: ec2.FlowLogResourceType.fromTransitGatewayAttachmentId(tgwAttachment.ref) }) ``` Since `trafficType` [cannot be set for flow logs related to TransitGateway resources](https://docs.aws.amazon.com/vpc/latest/tgw/working-with-flow-logs.html#flow-logs-api-cli), I have also added error handling for this. ```ts if (props.resourceType.resourceType === 'TransitGateway' || props.resourceType.resourceType === 'TransitGatewayAttachment') { if (props.trafficType) { throw new Error('trafficType is not supported for Transit Gateway and Transit Gateway Attachment'); } ... } ``` Closes #27222. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

The CDK has no support to writes data to an Amazon OpenSearch Service via AWS IoT Rule. Adding the action that writes data to an Amazon OpenSearch Service to AWS IoT topic rule. OpenSearch action for IoT Topic Rule documentation is here: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iot-topicrule-opensearchaction.html. Closes #17702. Tested by deploying my own stack and confirmed that publishing a message to IoT topic rule will successfully write data to open search service. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

The queueUrl attribute of QueueAttributes interface contains bad url redirection address. This pull request aims to update the @see redirect address in queueUrl attribute for the proper sqs developer guide link. Closes #28734. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…28817) This PR adds a small improvement for the experimental `AppStagingSynthesizer`. Currently, there is no description on the app support stack: ![Screenshot_2024-01-22_at_14_11_13](https://github.com/aws/aws-cdk/assets/630449/0e656aea-2c09-4168-8f05-caebd3fbfc4b) However, the default bootstrap stack does have a helpful description: ![Screenshot_2024-01-22_at_14_12_04](https://github.com/aws/aws-cdk/assets/630449/35f2065b-c9b9-4ce0-85c4-1346100eb4b3) So, this PR adds a description to support stacks so people know what they are. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…umentation (#28818) This will help more people discover the App Staging Synthesizer. One of the most common use-cases that drives me to App Staging Synthesizer is the desire for separate ECR repositories for CDK-managed docker image assets. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Ran npm-check-updates and yarn upgrade to keep the `yarn.lock` file up-to-date.

…cy (#28792) This PR adds a property `datapointsToAlarm` for `StepScalingPolicy`. Closes #28749. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Closes #28563. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

ECS now supports Amazon ECS optimized Amazon Linux 2 (Neuron) AMI variant for Amazon EC2 Inf1, Trn1 or Inf2 instances (see [here](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html)). It helps make running machine learning inference workloads easier on Amazon ECS. Add a new enum value, `NEURON` to `AMIHardwareType` to allow users to specify this AMI when setting up their ECS cluster. Add code to retrieve SSM parameter name for this AMI variant (see SSM parameter format for ECS-optimized AMI [here](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/retrieve-ecs-optimized_AMI.html#ecs-optimized-ami-parameter-format)). Closes #28198 . ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…cation configured (#28601) This PR resolves an issue where deploying an RDS instance configured with Kerberos authentication fails. When `domainRole` is undefined, CDK creates a default IAM role. However, this role lacks the necessary principals, leading to deployment failure. To resolve this, the necessary principals have been added to the role. ```diff - assumedBy: new iam.ServicePrincipal('rds.amazonaws.com'), + assumedBy: new iam.CompositePrincipal( + new iam.ServicePrincipal('rds.amazonaws.com'), + new iam.ServicePrincipal('directoryservice.rds.amazonaws.com'), + ), ``` Closes #28600. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

`publib` is our package that includes a CLI tool named `publib-ca`. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…8611) This PR has enabled explicit disabling of the circuit breaker. ```ts declare const cluster: ecs.Cluster; declare const taskDefinition: ecs.TaskDefinition; const service = new ecs.FargateService(this, 'Service', { cluster, taskDefinition, circuitBreaker: { enable: true, // added rollback: true }, }); ``` This is useful for removing a circuit breaker that has been set previously. Closes #27131. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…#28789) Adding an optional `allocatedStorage` parameter to DatabaseInstanceReadReplica. Allows customers to set the [AllocatedStorage](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-dbinstance.html#cfn-rds-dbinstance-allocatedstorage) for their replica instance. Note: Didn't add any synth checks as the original deployment issue outlined in #17083 seems to be fixed (Deployed the failed template and the replica instance will automatically inherit the storage of the source instance). Customers should still be able to set `allocatedStorage`. Closes #17083. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Ran npm-check-updates and yarn upgrade to keep the `yarn.lock` file up-to-date.

#28559) I have added the arguments domain and domainRole to support Kerberos authentication for the Aurora Database cluster. The specifications for these arguments are the same as the existing [domain](https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-rds/lib/instance.ts#L625) and [domainRole](https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-rds/lib/instance.ts#L633) in the [Instance](https://github.com/aws/aws-cdk/tree/main/packages/aws-cdk-lib/aws-rds#kerberos-authentication). ```ts declare const vpc: ec2.Vpc declare const iamRole: iam.IRole new rds.DatabaseCluster(this, 'Database', { engine: rds.DatabaseClusterEngine.auroraMysql({ version: rds.AuroraMysqlEngineVersion.VER_3_05_1 }), writer: rds.ClusterInstance.provisioned('Instance', { instanceType: ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE3, ec2.InstanceSize.MEDIUM), }), vpc, domain: 'd-????????', // added domainRole: iamRole, // added }); ``` Closes #28050. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

aws-cdk-automation · 2024-01-24T18:46:51Z

AWS CodeBuild CI Report

CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
Commit ID: 27dd6e1
Result: SUCCEEDED
Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

mergify · 2024-01-24T18:47:11Z

Thank you for contributing! Your pull request will be automatically updated and merged without squashing (do not update manually, and be sure to allow changes to be pushed to your fork).

aaythapa and others added 30 commits January 18, 2024 14:02

Merge branch 'main' into merge-back/2.122.0

568256a

chore(merge-back): 2.122.0 (#28757)

1dc95ac

See [CHANGELOG](https://github.com/aws/aws-cdk/blob/merge-back/2.122.0/CHANGELOG.md)

chore(roadmap): update roadmap (#28759)

20ad55e

updates to roadmap Closes #<issue number here>. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

chore(CLI): nested stacks should be skipped by changeset diff (#28784)

25d193a

#28741 accidentally broke the logic that skips them ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

chore: npm-check-updates && yarn upgrade (#28813)

300f92b

Ran npm-check-updates and yarn upgrade to keep the `yarn.lock` file up-to-date.

feat(core): add validations for export name in CfnOutput (#28575)

513d9fb

Closes #28563. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

badmintoncryer and others added 7 commits January 23, 2024 20:47

chore(cli-integ): example downloads publib from npm (#28829)

d6c3a9a

`publib` is our package that includes a CLI tool named `publib-ca`. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

chore: npm-check-updates && yarn upgrade (#28839)

e4df7e5

Ran npm-check-updates and yarn upgrade to keep the `yarn.lock` file up-to-date.

chore(release): 2.123.0

27dd6e1

aws-cdk-automation added auto-approve pr/no-squash This PR should be merged instead of squash-merging it labels Jan 24, 2024

github-actions bot added the p2 label Jan 24, 2024

aws-cdk-automation requested a review from a team January 24, 2024 18:20

github-actions bot approved these changes Jan 24, 2024

View reviewed changes

aws-cdk-automation had a problem deploying to test-pipeline January 24, 2024 18:21 — with GitHub Actions Failure

mergify bot merged commit a594112 into v2-release Jan 24, 2024
28 of 29 checks passed

mergify bot deleted the bump/2.123.0 branch January 24, 2024 18:47

github-actions bot mentioned this pull request Feb 1, 2024

Monthly PR metrics report - Jan 2024 #28952

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(release): 2.123.0 #28842

chore(release): 2.123.0 #28842

aws-cdk-automation commented Jan 24, 2024 •

edited

Loading

aws-cdk-automation commented Jan 24, 2024

mergify bot commented Jan 24, 2024

chore(release): 2.123.0 #28842

chore(release): 2.123.0 #28842

Conversation

aws-cdk-automation commented Jan 24, 2024 • edited Loading

aws-cdk-automation commented Jan 24, 2024

AWS CodeBuild CI Report

mergify bot commented Jan 24, 2024

aws-cdk-automation commented Jan 24, 2024 •

edited

Loading