Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: update L1 CloudFormation resource definitions (#29924)
Updates the L1 CloudFormation resource definitions with the latest changes from `@aws-cdk/aws-service-spec`
**L1 CloudFormation resource definition changes:**
```
├[~] service aws-appintegrations
│ └ resources
│ └[~] resource AWS::AppIntegrations::Application
│ ├ properties
│ │ └[+] Permissions: Array<string>
│ └ types
│ └[~] type ExternalUrlConfig
│ └ properties
│ └ ApprovedOrigins: - Array<string> (required)
│ + Array<string>
├[~] service aws-autoscaling
│ └ resources
│ ├[~] resource AWS::AutoScaling::AutoScalingGroup
│ │ ├ properties
│ │ │ ├ Cooldown: (documentation changed)
│ │ │ ├ DesiredCapacityType: (documentation changed)
│ │ │ ├ HealthCheckType: (documentation changed)
│ │ │ ├ MaxInstanceLifetime: (documentation changed)
│ │ │ ├ NewInstancesProtectedFromScaleIn: (documentation changed)
│ │ │ └ TerminationPolicies: (documentation changed)
│ │ └ types
│ │ ├[~] type LaunchTemplateOverrides
│ │ │ └ properties
│ │ │ └ InstanceType: (documentation changed)
│ │ ├[~] type LifecycleHookSpecification
│ │ │ └ properties
│ │ │ └ RoleARN: (documentation changed)
│ │ └[~] type MetricsCollection
│ │ └ properties
│ │ └ Metrics: (documentation changed)
│ ├[~] resource AWS::AutoScaling::LaunchConfiguration
│ │ ├ properties
│ │ │ ├ AssociatePublicIpAddress: (documentation changed)
│ │ │ ├ EbsOptimized: (documentation changed)
│ │ │ ├ ImageId: (documentation changed)
│ │ │ ├ InstanceMonitoring: (documentation changed)
│ │ │ ├ KeyName: (documentation changed)
│ │ │ ├ MetadataOptions: (documentation changed)
│ │ │ └ PlacementTenancy: (documentation changed)
│ │ └ types
│ │ └[~] type BlockDevice
│ │ └ properties
│ │ ├ Encrypted: (documentation changed)
│ │ └ VolumeType: (documentation changed)
│ ├[~] resource AWS::AutoScaling::LifecycleHook
│ │ └ properties
│ │ └ RoleARN: (documentation changed)
│ └[~] resource AWS::AutoScaling::ScalingPolicy
│ ├ properties
│ │ └ Cooldown: (documentation changed)
│ └ types
│ └[~] type PredictiveScalingConfiguration
│ └ properties
│ └ MaxCapacityBreachBehavior: (documentation changed)
├[~] service aws-backup
│ └ resources
│ ├[~] resource AWS::Backup::BackupPlan
│ │ ├ properties
│ │ │ └ BackupPlanTags: (documentation changed)
│ │ └ types
│ │ ├[~] type BackupRuleResourceType
│ │ │ └ properties
│ │ │ └ RecoveryPointTags: (documentation changed)
│ │ └[~] type LifecycleResourceType
│ │ └ properties
│ │ └ OptInToArchiveForSupportedResources: (documentation changed)
│ ├[~] resource AWS::Backup::BackupSelection
│ │ └ types
│ │ └[~] type ConditionParameter
│ │ └ - documentation: Includes information about tags you define to assign tagged resources to a backup plan.
│ │ + documentation: Includes information about tags you define to assign tagged resources to a backup plan.
│ │ Include the prefix `aws:ResourceTag` in your tags. For example, `"aws:ResourceTag/TagKey1": "Value1"` .
│ ├[~] resource AWS::Backup::BackupVault
│ │ └ properties
│ │ └ BackupVaultTags: (documentation changed)
│ ├[~] resource AWS::Backup::Framework
│ │ ├ properties
│ │ │ └ FrameworkTags: (documentation changed)
│ │ └ types
│ │ ├[~] type ControlInputParameter
│ │ │ └ - documentation: A list of parameters for a control. A control can have zero, one, or more than one parameter. An example of a control with two parameters is: "backup plan frequency is at least `daily` and the retention period is at least `1 year` ". The first parameter is `daily` . The second parameter is `1 year` .
│ │ │ + documentation: The parameters for a control. A control can have zero, one, or more than one parameter. An example of a control with two parameters is: "backup plan frequency is at least `daily` and the retention period is at least `1 year` ". The first parameter is `daily` . The second parameter is `1 year` .
│ │ └[~] type FrameworkControl
│ │ └ properties
│ │ └ ControlInputParameters: (documentation changed)
│ ├[~] resource AWS::Backup::ReportPlan
│ │ ├ properties
│ │ │ └ ReportPlanTags: (documentation changed)
│ │ └ types
│ │ └[~] type ReportDeliveryChannel
│ │ └ properties
│ │ └ Formats: (documentation changed)
│ ├[~] resource AWS::Backup::RestoreTestingPlan
│ │ └ - documentation: This is the first of two steps to create a restore testing plan; once this request is successful, finish the procedure with request CreateRestoreTestingSelection.
│ │ You must include the parameter RestoreTestingPlan. You may optionally include CreatorRequestId and Tags.
│ │ + documentation: Creates a restore testing plan.
│ │ The first of two steps to create a restore testing plan. After this request is successful, finish the procedure using CreateRestoreTestingSelection.
│ └[~] resource AWS::Backup::RestoreTestingSelection
│ ├ properties
│ │ └ RestoreTestingSelectionName: (documentation changed)
│ └ types
│ └[~] type ProtectedResourceConditions
│ └ - documentation: A list of conditions that you define for resources in your restore testing plan using tags.
│ For example, `"StringEquals": { "Key": "aws:ResourceTag/CreatedByCryo", "Value": "true" },` . Condition operators are case sensitive.
│ + documentation: The conditions that you define for resources in your restore testing plan using tags.
│ For example, `"StringEquals": { "Key": "aws:ResourceTag/CreatedByCryo", "Value": "true" },` . Condition operators are case sensitive.
├[~] service aws-batch
│ └ resources
│ └[~] resource AWS::Batch::JobDefinition
│ └ types
│ └[~] type ImagePullSecret
│ ├ - documentation: undefined
│ │ + documentation: References a Kubernetes secret resource. This name of the secret must start and end with an alphanumeric character, is required to be lowercase, can include periods (.) and hyphens (-), and can't contain more than 253 characters.
│ └ properties
│ └ Name: (documentation changed)
├[~] service aws-bedrock
│ └ resources
│ ├[~] resource AWS::Bedrock::Agent
│ │ ├ properties
│ │ │ ├ AgentResourceRoleArn: (documentation changed)
│ │ │ └ CustomerEncryptionKeyArn: (documentation changed)
│ │ ├ attributes
│ │ │ └ AgentArn: (documentation changed)
│ │ └ types
│ │ ├[~] type ActionGroupExecutor
│ │ │ └ properties
│ │ │ └ Lambda: (documentation changed)
│ │ └[~] type AgentActionGroup
│ │ └ properties
│ │ └ ActionGroupExecutor: (documentation changed)
│ ├[~] resource AWS::Bedrock::AgentAlias
│ │ └ attributes
│ │ └ AgentAliasArn: (documentation changed)
│ ├[~] resource AWS::Bedrock::DataSource
│ │ └ types
│ │ ├[~] type S3DataSourceConfiguration
│ │ │ └ properties
│ │ │ └ BucketArn: (documentation changed)
│ │ └[~] type ServerSideEncryptionConfiguration
│ │ └ properties
│ │ └ KmsKeyArn: (documentation changed)
│ └[~] resource AWS::Bedrock::KnowledgeBase
│ ├ properties
│ │ └ RoleArn: (documentation changed)
│ ├ attributes
│ │ └ KnowledgeBaseArn: (documentation changed)
│ └ types
│ └[~] type VectorKnowledgeBaseConfiguration
│ └ properties
│ └ EmbeddingModelArn: (documentation changed)
├[~] service aws-cloudwatch
│ └ resources
│ └[~] resource AWS::CloudWatch::AnomalyDetector
│ ├ properties
│ │ └[+] MetricCharacteristics: MetricCharacteristics (immutable)
│ └ types
│ └[+] type MetricCharacteristics
│ ├ documentation: This object includes parameters that you can use to provide information to CloudWatch to help it build more accurate anomaly detection models.
│ │ name: MetricCharacteristics
│ └ properties
│ └PeriodicSpikes: boolean
├[~] service aws-datazone
│ └ resources
│ └[~] resource AWS::DataZone::DataSource
│ └ types
│ └[~] type GlueRunConfigurationInput
│ └ properties
│ └[+] AutoImportDataQualityResult: boolean
├[~] service aws-dms
│ └ resources
│ └[~] resource AWS::DMS::Endpoint
│ └ types
│ └[~] type PostgreSqlSettings
│ └ properties
│ └ CaptureDdls: (documentation changed)
├[~] service aws-ec2
│ └ resources
│ ├[~] resource AWS::EC2::CustomerGateway
│ │ └ properties
│ │ ├ BgpAsn: - integer (required, default=65000, immutable)
│ │ │ + integer (default=65000, immutable)
│ │ └[+] BgpAsnExtended: number (immutable)
│ └[~] resource AWS::EC2::TransitGatewayRoute
│ └ properties
│ └ DestinationCidrBlock: - string (immutable)
│ + string (required, immutable)
├[~] service aws-ecr
│ └ resources
│ └[+] resource AWS::ECR::RepositoryCreationTemplate
│ ├ name: RepositoryCreationTemplate
│ │ cloudFormationType: AWS::ECR::RepositoryCreationTemplate
│ │ documentation: AWS::ECR::RepositoryCreationTemplate is used to create repository with configuration from a pre-defined template.
│ ├ properties
│ │ ├Prefix: string (required, immutable)
│ │ ├Description: string
│ │ ├ImageTagMutability: string
│ │ ├RepositoryPolicy: string
│ │ ├LifecyclePolicy: string
│ │ ├EncryptionConfiguration: EncryptionConfiguration
│ │ ├ResourceTags: Array<tag>
│ │ └AppliedFor: Array<string> (required)
│ ├ attributes
│ │ ├CreatedAt: string
│ │ └UpdatedAt: string
│ └ types
│ └type EncryptionConfiguration
│ ├ documentation: The encryption configuration for the repository. This determines how the contents of your repository are encrypted at rest.
│ │ By default, when no encryption configuration is set or the `AES256` encryption type is used, Amazon ECR uses server-side encryption with Amazon S3-managed encryption keys which encrypts your data at rest using an AES-256 encryption algorithm. This does not require any action on your part.
│ │ For more control over the encryption of the contents of your repository, you can use server-side encryption with AWS Key Management Service key stored in AWS Key Management Service ( AWS KMS ) to encrypt your images. For more information, see [Amazon ECR encryption at rest](https://docs.aws.amazon.com/AmazonECR/latest/userguide/encryption-at-rest.html) in the *Amazon Elastic Container Registry User Guide* .
│ │ name: EncryptionConfiguration
│ └ properties
│ ├EncryptionType: string (required)
│ └KmsKey: string
├[~] service aws-kms
│ └ resources
│ └[~] resource AWS::KMS::Key
│ └ properties
│ └[+] RotationPeriodInDays: integer (default=365)
├[~] service aws-lambda
│ └ resources
│ └[~] resource AWS::Lambda::Alias
│ └ attributes
│ └[+] AliasArn: string
├[~] service aws-oam
│ └ resources
│ └[~] resource AWS::Oam::Link
│ ├ properties
│ │ └[+] LinkConfiguration: LinkConfiguration
│ └ types
│ ├[+] type LinkConfiguration
│ │ ├ name: LinkConfiguration
│ │ └ properties
│ │ ├MetricConfiguration: LinkFilter
│ │ └LogGroupConfiguration: LinkFilter
│ └[+] type LinkFilter
│ ├ name: LinkFilter
│ └ properties
│ └Filter: string (required)
├[~] service aws-quicksight
│ └ resources
│ ├[~] resource AWS::QuickSight::Dashboard
│ │ └ attributes
│ │ └ Version: (documentation changed)
│ └[~] resource AWS::QuickSight::Template
│ └ attributes
│ └ Version: (documentation changed)
├[~] service aws-rds
│ └ resources
│ └[~] resource AWS::RDS::DBInstance
│ └ properties
│ ├ Engine: (documentation changed)
│ ├ KmsKeyId: (documentation changed)
│ └ StorageEncrypted: (documentation changed)
├[~] service aws-redshiftserverless
│ └ resources
│ └[~] resource AWS::RedshiftServerless::Namespace
│ ├ properties
│ │ └[+] SnapshotCopyConfigurations: Array<SnapshotCopyConfiguration>
│ └ types
│ └[+] type SnapshotCopyConfiguration
│ ├ name: SnapshotCopyConfiguration
│ └ properties
│ ├DestinationRegion: string (required)
│ ├DestinationKmsKeyId: string
│ └SnapshotRetentionPeriod: integer
├[~] service aws-securitylake
│ └ resources
│ ├[~] resource AWS::SecurityLake::AwsLogSource
│ │ ├ - documentation: Resource Type definition for AWS::SecurityLake::AwsLogSource
│ │ │ + documentation: Adds a natively supported AWS service as an AWS source. Enables source types for member accounts in required AWS Regions, based on the parameters you specify. You can choose any source type in any Region for either accounts that are part of a trusted organization or standalone accounts. Once you add an AWS service as a source, Security Lake starts collecting logs and events from it.
│ │ │ > If you want to create multiple sources using `AWS::SecurityLake::AwsLogSource` , you must use the `DependsOn` attribute to create the sources sequentially. With the `DependsOn` attribute you can specify that the creation of a specific `AWSLogSource` follows another. When you add a `DependsOn` attribute to a resource, that resource is created only after the creation of the resource specified in the `DependsOn` attribute. For an example, see [Add AWS log sources](https://docs.aws.amazon.com//AWSCloudFormation/latest/UserGuide/aws-resource-securitylake-awslogsource.html#aws-resource-securitylake-awslogsource--examples) .
│ │ └ properties
│ │ ├ Accounts: (documentation changed)
│ │ ├ DataLakeArn: (documentation changed)
│ │ ├ SourceName: (documentation changed)
│ │ └ SourceVersion: (documentation changed)
│ ├[~] resource AWS::SecurityLake::DataLake
│ │ ├ - documentation: Resource Type definition for AWS::SecurityLake::DataLake
│ │ │ + documentation: Initializes an Amazon Security Lake instance with the provided (or default) configuration. You can enable Security Lake in AWS Regions with customized settings before enabling log collection in Regions. To specify particular Regions, configure these Regions using the `configurations` parameter. If you have already enabled Security Lake in a Region when you call this command, the command will update the Region if you provide new configuration parameters. If you have not already enabled Security Lake in the Region when you call this API, it will set up the data lake in the Region with the specified configurations.
│ │ │ When you enable Security Lake , it starts ingesting security data after the `CreateAwsLogSource` call. This includes ingesting security data from sources, storing data, and making data accessible to subscribers. Security Lake also enables all the existing settings and resources that it stores or maintains for your AWS account in the current Region, including security log and event data. For more information, see the [Amazon Security Lake User Guide](https://docs.aws.amazon.com//security-lake/latest/userguide/what-is-security-lake.html) .
│ │ ├ properties
│ │ │ ├ EncryptionConfiguration: (documentation changed)
│ │ │ ├ LifecycleConfiguration: (documentation changed)
│ │ │ ├ MetaStoreManagerRoleArn: (documentation changed)
│ │ │ └ Tags: (documentation changed)
│ │ ├ attributes
│ │ │ ├ Arn: (documentation changed)
│ │ │ └ S3BucketArn: (documentation changed)
│ │ └ types
│ │ ├[~] type EncryptionConfiguration
│ │ │ ├ - documentation: Provides encryption details of Amazon Security Lake object.
│ │ │ │ + documentation: Provides encryption details of the Amazon Security Lake object. The AWS shared responsibility model applies to data protection in Amazon Security Lake . As described in this model, AWS is responsible for protecting the global infrastructure that runs all of the AWS Cloud. You are responsible for maintaining control over your content that is hosted on this infrastructure. For more details, see [Data protection](https://docs.aws.amazon.com//security-lake/latest/userguide/data-protection.html) in the Amazon Security Lake User Guide.
│ │ │ └ properties
│ │ │ └ KmsKeyId: (documentation changed)
│ │ ├[~] type Expiration
│ │ │ ├ - documentation: Provides data expiration details of Amazon Security Lake object.
│ │ │ │ + documentation: Provides data expiration details of the Amazon Security Lake object. You can specify your preferred Amazon S3 storage class and the time period for S3 objects to stay in that storage class before they expire. For more information about Amazon S3 Lifecycle configurations, see [Managing your storage lifecycle](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lifecycle-mgmt.html) in the *Amazon Simple Storage Service User Guide* .
│ │ │ └ properties
│ │ │ └ Days: (documentation changed)
│ │ ├[~] type LifecycleConfiguration
│ │ │ ├ - documentation: Provides lifecycle details of Amazon Security Lake object.
│ │ │ │ + documentation: Provides lifecycle details of Amazon Security Lake object. To manage your data so that it is stored cost effectively, you can configure retention settings for the data. You can specify your preferred Amazon S3 storage class and the time period for Amazon S3 objects to stay in that storage class before they transition to a different storage class or expire. For more information about Amazon S3 Lifecycle configurations, see [Managing your storage lifecycle](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lifecycle-mgmt.html) in the *Amazon Simple Storage Service User Guide* .
│ │ │ │ In Security Lake , you specify retention settings at the Region level. For example, you might choose to transition all S3 objects in a specific AWS Region to the `S3 Standard-IA` storage class 30 days after they're written to the data lake. The default Amazon S3 storage class is S3 Standard.
│ │ │ │ > Security Lake doesn't support Amazon S3 Object Lock. When the data lake buckets are created, S3 Object Lock is disabled by default. Enabling S3 Object Lock with default retention mode interrupts the delivery of normalized log data to the data lake.
│ │ │ └ properties
│ │ │ ├ Expiration: (documentation changed)
│ │ │ └ Transitions: (documentation changed)
│ │ ├[~] type ReplicationConfiguration
│ │ │ ├ - documentation: Provides replication details of Amazon Security Lake object.
│ │ │ │ + documentation: Provides replication configuration details for objects stored in the Amazon Security Lake data lake.
│ │ │ └ properties
│ │ │ ├ Regions: (documentation changed)
│ │ │ └ RoleArn: (documentation changed)
│ │ └[~] type Transitions
│ │ ├ - documentation: undefined
│ │ │ + documentation: Provides transition lifecycle details of the Amazon Security Lake object. For more information about Amazon S3 Lifecycle configurations, see [Managing your storage lifecycle](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lifecycle-mgmt.html) in the *Amazon Simple Storage Service User Guide* .
│ │ └ properties
│ │ ├ Days: (documentation changed)
│ │ └ StorageClass: (documentation changed)
│ └[~] resource AWS::SecurityLake::Subscriber
│ ├ - documentation: Resource Type definition for AWS::SecurityLake::Subscriber
│ │ + documentation: Creates a subscriber for accounts that are already enabled in Amazon Security Lake. You can create a subscriber with access to data in the current AWS Region.
│ ├ properties
│ │ ├ AccessTypes: (documentation changed)
│ │ ├ DataLakeArn: (documentation changed)
│ │ ├ Sources: (documentation changed)
│ │ ├ SubscriberDescription: (documentation changed)
│ │ └ SubscriberName: (documentation changed)
│ ├ attributes
│ │ ├ ResourceShareArn: (documentation changed)
│ │ ├ ResourceShareName: (documentation changed)
│ │ ├ S3BucketArn: (documentation changed)
│ │ ├ SubscriberArn: (documentation changed)
│ │ └ SubscriberRoleArn: (documentation changed)
│ └ types
│ ├[~] type AwsLogSource
│ │ ├ - documentation: Amazon Security Lake supports log and event collection for natively supported AWS services.
│ │ │ + documentation: Adds a natively supported AWS service as an Amazon Security Lake source. Enables source types for member accounts in required AWS Regions, based on the parameters you specify. You can choose any source type in any Region for either accounts that are part of a trusted organization or standalone accounts. Once you add an AWS service as a source, Security Lake starts collecting logs and events from it.
│ │ └ properties
│ │ ├ SourceName: (documentation changed)
│ │ └ SourceVersion: (documentation changed)
│ ├[~] type CustomLogSource
│ │ ├ - documentation: undefined
│ │ │ + documentation: Third-party custom log source that meets the requirements to be added to Amazon Security Lake . For more details, see [Custom log source](https://docs.aws.amazon.com//security-lake/latest/userguide/custom-sources.html#iam-roles-custom-sources) in the *Amazon Security Lake User Guide* .
│ │ └ properties
│ │ ├ SourceName: (documentation changed)
│ │ └ SourceVersion: (documentation changed)
│ ├[~] type Source
│ │ ├ - documentation: undefined
│ │ │ + documentation: Sources are logs and events generated from a single system that match a specific event class in the Open Cybersecurity Schema Framework (OCSF) schema. Amazon Security Lake can collect logs and events from a variety of sources, including natively supported AWS services and third-party custom sources.
│ │ └ properties
│ │ ├ AwsLogSource: (documentation changed)
│ │ └ CustomLogSource: (documentation changed)
│ └[~] type SubscriberIdentity
│ ├ - documentation: The AWS identity used to access your data.
│ │ + documentation: Specify the AWS account ID and external ID that the subscriber will use to access source data.
│ └ properties
│ ├ ExternalId: (documentation changed)
│ └ Principal: (documentation changed)
├[~] service aws-ssm
│ └ resources
│ └[~] resource AWS::SSM::Document
│ └ properties
│ └ Name: (documentation changed)
├[~] service aws-timestream
│ └ resources
│ └[+] resource AWS::Timestream::InfluxDBInstance
│ ├ name: InfluxDBInstance
│ │ cloudFormationType: AWS::Timestream::InfluxDBInstance
│ │ documentation: A DB instance is an isolated database environment running in the cloud. It is the basic building block of Amazon Timestream for InfluxDB. A DB instance can contain multiple user-created databases (or organizations and buckets for the case of InfluxDb 2.x databases), and can be accessed using the same client tools and applications you might use to access a standalone self-managed InfluxDB instance.
│ │ tagInformation: {"tagPropertyName":"Tags","variant":"standard"}
│ ├ properties
│ │ ├Username: string (immutable)
│ │ ├Password: string (immutable)
│ │ ├Organization: string (immutable)
│ │ ├Bucket: string (immutable)
│ │ ├DbInstanceType: string (immutable)
│ │ ├VpcSubnetIds: Array<string> (immutable)
│ │ ├VpcSecurityGroupIds: Array<string> (immutable)
│ │ ├PubliclyAccessible: boolean (default=false, immutable)
│ │ ├DbStorageType: string (immutable)
│ │ ├AllocatedStorage: integer (immutable)
│ │ ├DbParameterGroupIdentifier: string
│ │ ├LogDeliveryConfiguration: LogDeliveryConfiguration
│ │ ├Name: string (immutable)
│ │ ├DeploymentType: string (immutable)
│ │ └Tags: Array<tag>
│ ├ attributes
│ │ ├Status: string
│ │ ├Arn: string
│ │ ├Id: string
│ │ ├AvailabilityZone: string
│ │ ├Endpoint: string
│ │ ├SecondaryAvailabilityZone: string
│ │ └InfluxAuthParametersSecretArn: string
│ └ types
│ ├type LogDeliveryConfiguration
│ │├ documentation: Configuration for sending InfluxDB engine logs to a specified S3 bucket.
│ ││ name: LogDeliveryConfiguration
│ │└ properties
│ │ └S3Configuration: S3Configuration (required)
│ └type S3Configuration
│ ├ documentation: Configuration for S3 bucket log delivery.
│ │ name: S3Configuration
│ └ properties
│ ├BucketName: string (required)
│ └Enabled: boolean (required)
├[~] service aws-transfer
│ └ resources
│ ├[~] resource AWS::Transfer::Certificate
│ │ └ properties
│ │ └ Usage: (documentation changed)
│ └[~] resource AWS::Transfer::Server
│ └ properties
│ └ Domain: (documentation changed)
└[~] service aws-wisdom
└ resources
└[~] resource AWS::Wisdom::KnowledgeBase
└ types
└[~] type AppIntegrationsConfiguration
└ properties
└ ObjectFields: (documentation changed)
```- Loading branch information
1 parent
1d16304
commit 27b7a45