Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: update L1 CloudFormation resource definitions #29052

Closed
wants to merge 1 commit into from

Conversation

aws-cdk-automation
Copy link
Collaborator

Updates the L1 CloudFormation resource definitions with the latest changes from @aws-cdk/aws-service-spec

L1 CloudFormation resource definition changes:

├[~] service aws-acmpca
│ └ resources
│    └[~] resource AWS::ACMPCA::CertificateAuthority
│      └ types
│         ├[~] type CrlConfiguration
│         │ ├  - documentation: Contains configuration information for a certificate revocation list (CRL). Your private certificate authority (CA) creates base CRLs. Delta CRLs are not supported. You can enable CRLs for your new or an existing private CA by setting the *Enabled* parameter to `true` . Your private CA writes CRLs to an S3 bucket that you specify in the *S3BucketName* parameter. You can hide the name of your bucket by specifying a value for the *CustomCname* parameter. Your private CA copies the CNAME or the S3 bucket name to the *CRL Distribution Points* extension of each certificate it issues. Your S3 bucket policy must give write permission to AWS Private CA.
│         │ │  AWS Private CA assets that are stored in Amazon S3 can be protected with encryption. For more information, see [Encrypting Your CRLs](https://docs.aws.amazon.com/privateca/latest/userguide/PcaCreateCa.html#crl-encryption) .
│         │ │  Your private CA uses the value in the *ExpirationInDays* parameter to calculate the *nextUpdate* field in the CRL. The CRL is refreshed prior to a certificate's expiration date or when a certificate is revoked. When a certificate is revoked, it appears in the CRL until the certificate expires, and then in one additional CRL after expiration, and it always appears in the audit report.
│         │ │  A CRL is typically updated approximately 30 minutes after a certificate is revoked. If for any reason a CRL update fails, AWS Private CA makes further attempts every 15 minutes.
│         │ │  CRLs contain the following fields:
│         │ │  - *Version* : The current version number defined in RFC 5280 is V2. The integer value is 0x1.
│         │ │  - *Signature Algorithm* : The name of the algorithm used to sign the CRL.
│         │ │  - *Issuer* : The X.500 distinguished name of your private CA that issued the CRL.
│         │ │  - *Last Update* : The issue date and time of this CRL.
│         │ │  - *Next Update* : The day and time by which the next CRL will be issued.
│         │ │  - *Revoked Certificates* : List of revoked certificates. Each list item contains the following information.
│         │ │  - *Serial Number* : The serial number, in hexadecimal format, of the revoked certificate.
│         │ │  - *Revocation Date* : Date and time the certificate was revoked.
│         │ │  - *CRL Entry Extensions* : Optional extensions for the CRL entry.
│         │ │  - *X509v3 CRL Reason Code* : Reason the certificate was revoked.
│         │ │  - *CRL Extensions* : Optional extensions for the CRL.
│         │ │  - *X509v3 Authority Key Identifier* : Identifies the public key associated with the private key used to sign the certificate.
│         │ │  - *X509v3 CRL Number:* : Decimal sequence number for the CRL.
│         │ │  - *Signature Algorithm* : Algorithm used by your private CA to sign the CRL.
│         │ │  - *Signature Value* : Signature computed over the CRL.
│         │ │  Certificate revocation lists created by AWS Private CA are DER-encoded. You can use the following OpenSSL command to list a CRL.
│         │ │  `openssl crl -inform DER -text -in *crl_path* -noout`
│         │ │  For more information, see [Planning a certificate revocation list (CRL)](https://docs.aws.amazon.com/privateca/latest/userguide/crl-planning.html) in the *AWS Private Certificate Authority User Guide*
│         │ │  + documentation: Contains configuration information for a certificate revocation list (CRL). Your private certificate authority (CA) creates base CRLs. Delta CRLs are not supported. You can enable CRLs for your new or an existing private CA by setting the *Enabled* parameter to `true` . Your private CA writes CRLs to an S3 bucket that you specify in the *S3BucketName* parameter. You can hide the name of your bucket by specifying a value for the *CustomCname* parameter. Your private CA by default copies the CNAME or the S3 bucket name to the *CRL Distribution Points* extension of each certificate it issues. If you want to configure this default behavior to be something different, you can set the *CrlDistributionPointExtensionConfiguration* parameter. Your S3 bucket policy must give write permission to AWS Private CA.
│         │ │  AWS Private CA assets that are stored in Amazon S3 can be protected with encryption. For more information, see [Encrypting Your CRLs](https://docs.aws.amazon.com/privateca/latest/userguide/PcaCreateCa.html#crl-encryption) .
│         │ │  Your private CA uses the value in the *ExpirationInDays* parameter to calculate the *nextUpdate* field in the CRL. The CRL is refreshed prior to a certificate's expiration date or when a certificate is revoked. When a certificate is revoked, it appears in the CRL until the certificate expires, and then in one additional CRL after expiration, and it always appears in the audit report.
│         │ │  A CRL is typically updated approximately 30 minutes after a certificate is revoked. If for any reason a CRL update fails, AWS Private CA makes further attempts every 15 minutes.
│         │ │  CRLs contain the following fields:
│         │ │  - *Version* : The current version number defined in RFC 5280 is V2. The integer value is 0x1.
│         │ │  - *Signature Algorithm* : The name of the algorithm used to sign the CRL.
│         │ │  - *Issuer* : The X.500 distinguished name of your private CA that issued the CRL.
│         │ │  - *Last Update* : The issue date and time of this CRL.
│         │ │  - *Next Update* : The day and time by which the next CRL will be issued.
│         │ │  - *Revoked Certificates* : List of revoked certificates. Each list item contains the following information.
│         │ │  - *Serial Number* : The serial number, in hexadecimal format, of the revoked certificate.
│         │ │  - *Revocation Date* : Date and time the certificate was revoked.
│         │ │  - *CRL Entry Extensions* : Optional extensions for the CRL entry.
│         │ │  - *X509v3 CRL Reason Code* : Reason the certificate was revoked.
│         │ │  - *CRL Extensions* : Optional extensions for the CRL.
│         │ │  - *X509v3 Authority Key Identifier* : Identifies the public key associated with the private key used to sign the certificate.
│         │ │  - *X509v3 CRL Number:* : Decimal sequence number for the CRL.
│         │ │  - *Signature Algorithm* : Algorithm used by your private CA to sign the CRL.
│         │ │  - *Signature Value* : Signature computed over the CRL.
│         │ │  Certificate revocation lists created by AWS Private CA are DER-encoded. You can use the following OpenSSL command to list a CRL.
│         │ │  `openssl crl -inform DER -text -in *crl_path* -noout`
│         │ │  For more information, see [Planning a certificate revocation list (CRL)](https://docs.aws.amazon.com/privateca/latest/userguide/crl-planning.html) in the *AWS Private Certificate Authority User Guide*
│         │ └ properties
│         │    └ CrlDistributionPointExtensionConfiguration: (documentation changed)
│         └[~] type CrlDistributionPointExtensionConfiguration
│           ├  - documentation: Configures the default behavior of the CRL Distribution Point extension for certificates issued by your certificate authority
│           │  + documentation: Contains configuration information for the default behavior of the CRL Distribution Point (CDP) extension in certificates issued by your CA. This extension contains a link to download the CRL, so you can check whether a certificate has been revoked. To choose whether you want this extension omitted or not in certificates issued by your CA, you can set the *OmitExtension* parameter.
│           └ properties
│              └ OmitExtension: (documentation changed)
├[~] service aws-amazonmq
│ └ resources
│    └[~] resource AWS::AmazonMQ::Broker
│      └ types
│         └[~] type User
│           └ properties
│              └ ReplicationUser: (documentation changed)
├[~] service aws-amplifyuibuilder
│ └ resources
│    ├[~] resource AWS::AmplifyUIBuilder::Component
│    │ ├ properties
│    │ │  ├ AppId: - string
│    │ │  │        + string (immutable)
│    │ │  ├ BindingProperties: - Map<string, ComponentBindingPropertiesValue> (required)
│    │ │  │                    + Map<string, ComponentBindingPropertiesValue>
│    │ │  ├ ComponentType: - string (required)
│    │ │  │                + string
│    │ │  ├ EnvironmentName: - string
│    │ │  │                  + string (immutable)
│    │ │  ├ Name: - string (required)
│    │ │  │       + string
│    │ │  ├ Overrides: - Map<string, Map<string, string>> ⇐ json (required)
│    │ │  │            + Map<string, Map<string, string>> ⇐ json
│    │ │  ├ Properties: - Map<string, ComponentProperty> (required)
│    │ │  │             + Map<string, ComponentProperty>
│    │ │  └ Variants: - Array<ComponentVariant> (required)
│    │ │              + Array<ComponentVariant>
│    │ ├ attributes
│    │ │  ├[+] CreatedAt: string
│    │ │  └[+] ModifiedAt: string
│    │ └ types
│    │    ├[~] type ComponentBindingPropertiesValueProperties
│    │    │ └ properties
│    │    │    └[+] SlotName: string
│    │    ├[~] type ComponentChild
│    │    │ └ properties
│    │    │    └[+] SourceId: string
│    │    ├[~] type ComponentEvent
│    │    │ └ properties
│    │    │    └[+] BindingEvent: string
│    │    └[~] type Predicate
│    │      └ properties
│    │         └[+] OperandType: string
│    ├[~] resource AWS::AmplifyUIBuilder::Form
│    │ ├ properties
│    │ │  ├ AppId: - string
│    │ │  │        + string (immutable)
│    │ │  ├ DataType: - FormDataTypeConfig (required)
│    │ │  │           + FormDataTypeConfig
│    │ │  ├ EnvironmentName: - string
│    │ │  │                  + string (immutable)
│    │ │  ├ Fields: - Map<string, FieldConfig> (required)
│    │ │  │         + Map<string, FieldConfig>
│    │ │  ├ FormActionType: - string (required)
│    │ │  │                 + string
│    │ │  ├ Name: - string (required)
│    │ │  │       + string
│    │ │  ├ SchemaVersion: - string (required)
│    │ │  │                + string
│    │ │  ├ SectionalElements: - Map<string, SectionalElement> (required)
│    │ │  │                    + Map<string, SectionalElement>
│    │ │  └ Style: - FormStyle (required)
│    │ │           + FormStyle
│    │ └ types
│    │    ├[+] type FormInputBindingPropertiesValue
│    │    │ ├  documentation: Represents the data binding configuration for a form's input fields at runtime.You can use `FormInputBindingPropertiesValue` to add exposed properties to a form to allow different values to be entered when a form is reused in different places in an app.
│    │    │ │  name: FormInputBindingPropertiesValue
│    │    │ └ properties
│    │    │    ├Type: string
│    │    │    └BindingProperties: FormInputBindingPropertiesValueProperties
│    │    ├[+] type FormInputBindingPropertiesValueProperties
│    │    │ ├  documentation: Represents the data binding configuration for a specific property using data stored in AWS . For AWS connected properties, you can bind a property to data stored in an Amplify DataStore model.
│    │    │ │  name: FormInputBindingPropertiesValueProperties
│    │    │ └ properties
│    │    │    └Model: string
│    │    ├[~] type FormInputValueProperty
│    │    │ └ properties
│    │    │    ├[+] BindingProperties: FormInputValuePropertyBindingProperties
│    │    │    └[+] Concat: Array<FormInputValueProperty>
│    │    ├[+] type FormInputValuePropertyBindingProperties
│    │    │ ├  documentation: Associates a form property to a binding property. This enables exposed properties on the top level form to propagate data to the form's property values.
│    │    │ │  name: FormInputValuePropertyBindingProperties
│    │    │ └ properties
│    │    │    ├Property: string (required)
│    │    │    └Field: string
│    │    └[~] type ValueMappings
│    │      └ properties
│    │         └[+] BindingProperties: Map<string, FormInputBindingPropertiesValue>
│    └[~] resource AWS::AmplifyUIBuilder::Theme
│      ├ properties
│      │  ├ AppId: - string
│      │  │        + string (immutable)
│      │  ├ EnvironmentName: - string
│      │  │                  + string (immutable)
│      │  ├ Name: - string (required)
│      │  │       + string
│      │  └ Values: - Array<ThemeValues> (required)
│      │            + Array<ThemeValues>
│      └ attributes
│         ├[+] CreatedAt: string
│         └[+] ModifiedAt: string
├[~] service aws-appconfig
│ └ resources
│    ├[~] resource AWS::AppConfig::Environment
│    │ ├ properties
│    │ │  └ Monitors: - Array<Monitors>
│    │ │              + Array<Monitor> ⇐ Array<Monitors>
│    │ ├ attributes
│    │ │  └[+] EnvironmentId: string
│    │ └ types
│    │    ├[+] type Monitor
│    │    │ ├  documentation: Amazon CloudWatch alarms to monitor during the deployment process.
│    │    │ │  name: Monitor
│    │    │ └ properties
│    │    │    ├AlarmArn: string (required)
│    │    │    └AlarmRoleArn: string
│    │    ├[~] type Monitors
│    │    │ ├  - documentation: Amazon CloudWatch alarms to monitor during the deployment process.
│    │    │ │  + documentation: undefined
│    │    │ └ properties
│    │    │    ├ AlarmArn: (documentation changed)
│    │    │    └ AlarmRoleArn: (documentation changed)
│    │    └[~] type Tags
│    │      ├  - documentation: Metadata to assign to the environment. Tags help organize and categorize your AWS AppConfig resources. Each tag consists of a key and an optional value, both of which you define.
│    │      │  + documentation: undefined
│    │      └ properties
│    │         ├ Key: (documentation changed)
│    │         └ Value: (documentation changed)
│    └[~] resource AWS::AppConfig::HostedConfigurationVersion
│      ├ properties
│      │  └ LatestVersionNumber: - number (immutable)
│      │                         + integer ⇐ number (immutable)
│      └ attributes
│         └[+] VersionNumber: string
├[~] service aws-appsync
│ └ resources
│    └[~] resource AWS::AppSync::GraphQLApi
│      └ properties
│         └[+] EnvironmentVariables: json
├[~] service aws-autoscaling
│ └ resources
│    └[~] resource AWS::AutoScaling::AutoScalingGroup
│      └ types
│         ├[~] type InstanceMaintenancePolicy
│         │ └ properties
│         │    ├ MaxHealthyPercentage: (documentation changed)
│         │    └ MinHealthyPercentage: (documentation changed)
│         └[~] type InstanceRequirements
│           └ properties
│              ├ MaxSpotPriceAsPercentageOfOptimalOnDemandPrice: (documentation changed)
│              ├ OnDemandMaxPricePercentageOverLowestPrice: (documentation changed)
│              └ SpotMaxPricePercentageOverLowestPrice: (documentation changed)
├[~] service aws-cassandra
│ └ resources
│    ├[~] resource AWS::Cassandra::Keyspace
│    │ └ types
│    │    └[~] type ReplicationSpecification
│    │      └  - documentation: You can use `ReplicationSpecification` to configure the `ReplicationStrategy` of a keyspace in Amazon Keyspaces.
│    │         The `ReplicationSpecification` property is `CreateOnly` and cannot be changed after the keyspace has been created. This property applies automatically to all tables in the keyspace.
│    │         For more information, see [Multi-Region Replication](https://docs.aws.amazon.com/keyspaces/latest/devguide/multiRegion-replication.html) in the *Amazon Keyspaces Developer Guide* .
│    │         + documentation: You can use `ReplicationSpecification` to configure the `ReplicationStrategy` of a keyspace in Amazon Keyspaces .
│    │         The `ReplicationSpecification` property is `CreateOnly` and cannot be changed after the keyspace has been created. This property applies automatically to all tables in the keyspace.
│    │         For more information, see [Multi-Region Replication](https://docs.aws.amazon.com/keyspaces/latest/devguide/multiRegion-replication.html) in the *Amazon Keyspaces Developer Guide* .
│    └[~] resource AWS::Cassandra::Table
│      ├ properties
│      │  ├[+] AutoScalingSpecifications: AutoScalingSpecification
│      │  ├ EncryptionSpecification: (documentation changed)
│      │  └[+] ReplicaSpecifications: Array<ReplicaSpecification>
│      └ types
│         ├[+] type AutoScalingSetting
│         │ ├  documentation: The optional auto scaling settings for a table with provisioned throughput capacity.
│         │ │  To turn on auto scaling for a table in `throughputMode:PROVISIONED` , you must specify the following parameters.
│         │ │  Configure the minimum and maximum capacity units. The auto scaling policy ensures that capacity never goes below the minimum or above the maximum range.
│         │ │  - `minimumUnits` : The minimum level of throughput the table should always be ready to support. The value must be between 1 and the max throughput per second quota for your account (40,000 by default).
│         │ │  - `maximumUnits` : The maximum level of throughput the table should always be ready to support. The value must be between 1 and the max throughput per second quota for your account (40,000 by default).
│         │ │  - `scalingPolicy` : Amazon Keyspaces supports the `target tracking` scaling policy. The auto scaling target is a percentage of the provisioned capacity of the table.
│         │ │  For more information, see [Managing throughput capacity automatically with Amazon Keyspaces auto scaling](https://docs.aws.amazon.com/keyspaces/latest/devguide/autoscaling.html) in the *Amazon Keyspaces Developer Guide* .
│         │ │  name: AutoScalingSetting
│         │ └ properties
│         │    ├AutoScalingDisabled: boolean (default=false)
│         │    ├MinimumUnits: integer
│         │    ├MaximumUnits: integer
│         │    └ScalingPolicy: ScalingPolicy
│         ├[+] type AutoScalingSpecification
│         │ ├  documentation: The optional auto scaling capacity settings for a table in provisioned capacity mode.
│         │ │  name: AutoScalingSpecification
│         │ └ properties
│         │    ├WriteCapacityAutoScaling: AutoScalingSetting
│         │    └ReadCapacityAutoScaling: AutoScalingSetting
│         ├[~] type Column
│         │ └  - documentation: The name and data type of an individual column in a table.
│         │    + documentation: The name and data type of an individual column in a table. In addition to the data type, you can also use the following two keywords:
│         │    - `STATIC` if the table has a clustering column. Static columns store values that are shared by all rows in the same partition.
│         │    - `FROZEN` for collection data types. In frozen collections the values of the collection are serialized into a single immutable value, and Amazon Keyspaces treats them like a `BLOB` .
│         ├[+] type ReplicaSpecification
│         │ ├  documentation: The AWS Region specific settings of a multi-Region table.
│         │ │  For a multi-Region table, you can configure the table's read capacity differently per AWS Region. You can do this by configuring the following parameters.
│         │ │  - `region` : The Region where these settings are applied. (Required)
│         │ │  - `readCapacityUnits` : The provisioned read capacity units. (Optional)
│         │ │  - `readCapacityAutoScaling` : The read capacity auto scaling settings for the table. (Optional)
│         │ │  name: ReplicaSpecification
│         │ └ properties
│         │    ├Region: string (required)
│         │    ├ReadCapacityUnits: integer
│         │    └ReadCapacityAutoScaling: AutoScalingSetting
│         ├[+] type ScalingPolicy
│         │ ├  documentation: Amazon Keyspaces supports the `target tracking` auto scaling policy. With this policy, Amazon Keyspaces auto scaling ensures that the table's ratio of consumed to provisioned capacity stays at or near the target value that you specify. You define the target value as a percentage between 20 and 90.
│         │ │  name: ScalingPolicy
│         │ └ properties
│         │    └TargetTrackingScalingPolicyConfiguration: TargetTrackingScalingPolicyConfiguration
│         └[+] type TargetTrackingScalingPolicyConfiguration
│           ├  documentation: Amazon Keyspaces supports the `target tracking` auto scaling policy for a provisioned table. This policy scales a table based on the ratio of consumed to provisioned capacity. The auto scaling target is a percentage of the provisioned capacity of the table.
│           │  - `targetTrackingScalingPolicyConfiguration` : To define the target tracking policy, you must define the target value.
│           │  - `targetValue` : The target utilization rate of the table. Amazon Keyspaces auto scaling ensures that the ratio of consumed capacity to provisioned capacity stays at or near this value. You define `targetValue` as a percentage. A `double` between 20 and 90. (Required)
│           │  - `disableScaleIn` : A `boolean` that specifies if `scale-in` is disabled or enabled for the table. This parameter is disabled by default. To turn on `scale-in` , set the `boolean` value to `FALSE` . This means that capacity for a table can be automatically scaled down on your behalf. (Optional)
│           │  - `scaleInCooldown` : A cooldown period in seconds between scaling activities that lets the table stabilize before another scale in activity starts. If no value is provided, the default is 0. (Optional)
│           │  - `scaleOutCooldown` : A cooldown period in seconds between scaling activities that lets the table stabilize before another scale out activity starts. If no value is provided, the default is 0. (Optional)
│           │  name: TargetTrackingScalingPolicyConfiguration
│           └ properties
│              ├DisableScaleIn: boolean
│              ├ScaleInCooldown: integer (default=0)
│              ├ScaleOutCooldown: integer (default=0)
│              └TargetValue: integer (required)
├[~] service aws-cloudfront
│ └ resources
│    ├[~] resource AWS::CloudFront::Distribution
│    │ └ types
│    │    └[~] type DefaultCacheBehavior
│    │      └ properties
│    │         └ FunctionAssociations: (documentation changed)
│    ├[~] resource AWS::CloudFront::Function
│    │ └ types
│    │    ├[~] type FunctionConfig
│    │    │ └ properties
│    │    │    └ KeyValueStoreAssociations: (documentation changed)
│    │    └[~] type KeyValueStoreAssociation
│    │      ├  - documentation: The Key Value Store association.
│    │      │  + documentation: The key value store association.
│    │      └ properties
│    │         └ KeyValueStoreARN: (documentation changed)
│    ├[~] resource AWS::CloudFront::KeyValueStore
│    │ ├  - documentation: The Key Value Store. Use this to separate data from function code, allowing you to update data without having to publish a new version of a function. The Key Value Store holds keys and their corresponding values.
│    │ │  + documentation: The key value store. Use this to separate data from function code, allowing you to update data without having to publish a new version of a function. The key value store holds keys and their corresponding values.
│    │ ├ properties
│    │ │  ├ Comment: (documentation changed)
│    │ │  ├ ImportSource: (documentation changed)
│    │ │  └ Name: (documentation changed)
│    │ ├ attributes
│    │ │  ├ Arn: (documentation changed)
│    │ │  ├ Id: (documentation changed)
│    │ │  └ Status: (documentation changed)
│    │ └ types
│    │    └[~] type ImportSource
│    │      ├  - documentation: The import source for the Key Value Store.
│    │      │  + documentation: The import source for the key value store.
│    │      └ properties
│    │         ├ SourceArn: (documentation changed)
│    │         └ SourceType: (documentation changed)
│    ├[~] resource AWS::CloudFront::OriginAccessControl
│    │ └ types
│    │    └[~] type OriginAccessControlConfig
│    │      └ properties
│    │         └ Name: (documentation changed)
│    ├[~] resource AWS::CloudFront::ResponseHeadersPolicy
│    │ └ types
│    │    └[~] type SecurityHeadersConfig
│    │      └ properties
│    │         └ StrictTransportSecurity: (documentation changed)
│    └[~] resource AWS::CloudFront::StreamingDistribution
│      └ attributes
│         └ Id: (documentation changed)
├[~] service aws-codebuild
│ └ resources
│    └[~] resource AWS::CodeBuild::Project
│      └ types
│         └[~] type ProjectFleet
│           ├  - documentation: undefined
│           │  + documentation: Information about the compute fleet of the build project. For more information, see [Working with reserved capacity in AWS CodeBuild](https://docs.aws.amazon.com/codebuild/latest/userguide/fleets.html) .
│           └ properties
│              └ FleetArn: (documentation changed)
├[~] service aws-codestarnotifications
│ └ resources
│    └[~] resource AWS::CodeStarNotifications::NotificationRule
│      ├  - documentation: Creates a notification rule for a resource. The rule specifies the events you want notifications about and the targets (such as AWS Chatbot topics or AWS Chatbot clients configured for Slack) where you want to receive them.
│      │  + documentation: Creates a notification rule for a resource. The rule specifies the events you want notifications about and the targets (such as Amazon Simple Notification Service topics or AWS Chatbot clients configured for Slack) where you want to receive them.
│      ├ properties
│      │  ├ CreatedBy: (documentation changed)
│      │  ├ EventTypeId: (documentation changed)
│      │  ├ TargetAddress: (documentation changed)
│      │  └ Targets: (documentation changed)
│      └ types
│         └[~] type Target
│           └ properties
│              └ TargetType: (documentation changed)
├[~] service aws-cognito
│ └ resources
│    ├[~] resource AWS::Cognito::IdentityPool
│    │ └ attributes
│    │    └ Id: (documentation changed)
│    ├[~] resource AWS::Cognito::IdentityPoolRoleAttachment
│    │ └ types
│    │    └[~] type RoleMapping
│    │      ├  - documentation: `RoleMapping` is a property of the [AWS::Cognito::IdentityPoolRoleAttachment](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypoolroleattachment.html) resource that defines the role-mapping attributes of an Amazon Cognito identity pool.
│    │      │  + documentation: One of a set of `RoleMappings` , a property of the [AWS::Cognito::IdentityPoolRoleAttachment](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypoolroleattachment.html) resource that defines the role-mapping attributes of an Amazon Cognito identity pool.
│    │      └ properties
│    │         ├ AmbiguousRoleResolution: (documentation changed)
│    │         └ Type: (documentation changed)
│    ├[~] resource AWS::Cognito::UserPool
│    │ ├ properties
│    │ │  └ DeletionProtection: (documentation changed)
│    │ └ types
│    │    ├[~] type LambdaConfig
│    │    │ └ properties
│    │    │    └ PreTokenGenerationConfig: (documentation changed)
│    │    └[~] type PreTokenGenerationConfig
│    │      ├  - documentation: undefined
│    │      │  + documentation: The properties of a pre token generation Lambda trigger.
│    │      └ properties
│    │         ├ LambdaArn: (documentation changed)
│    │         └ LambdaVersion: (documentation changed)
│    ├[~] resource AWS::Cognito::UserPoolClient
│    │ └ attributes
│    │    └ ClientId: (documentation changed)
│    ├[~] resource AWS::Cognito::UserPoolDomain
│    │ └ attributes
│    │    └ Id: (documentation changed)
│    ├[~] resource AWS::Cognito::UserPoolIdentityProvider
│    │ ├ properties
│    │ │  ├ AttributeMapping: - Map<string, string> ⇐ json
│    │ │  │                   + json
│    │ │  └ ProviderDetails: - Map<string, string> ⇐ json (required)
│    │ │                     + json
│    │ │                     (documentation changed)
│    │ └ attributes
│    │    └ Id: (documentation changed)
│    ├[~] resource AWS::Cognito::UserPoolResourceServer
│    │ └ attributes
│    │    └ Id: (documentation changed)
│    ├[~] resource AWS::Cognito::UserPoolRiskConfigurationAttachment
│    │ └ attributes
│    │    └ Id: (documentation changed)
│    ├[~] resource AWS::Cognito::UserPoolUICustomizationAttachment
│    │ └ attributes
│    │    └ Id: (documentation changed)
│    └[~] resource AWS::Cognito::UserPoolUser
│      └ properties
│         └ ClientMetadata: (documentation changed)
├[~] service aws-datasync
│ └ resources
│    └[~] resource AWS::DataSync::Task
│      └ properties
│         └ TaskReportConfig: (documentation changed)
├[~] service aws-dynamodb
│ └ resources
│    ├[~] resource AWS::DynamoDB::GlobalTable
│    │ └ types
│    │    └[~] type KinesisStreamSpecification
│    │      └ properties
│    │         └[+] ApproximateCreationDateTimePrecision: string
│    └[~] resource AWS::DynamoDB::Table
│      └ types
│         └[~] type KinesisStreamSpecification
│           └ properties
│              └[+] ApproximateCreationDateTimePrecision: string
├[~] service aws-ec2
│ └ resources
│    ├[~] resource AWS::EC2::ClientVpnEndpoint
│    │ ├ properties
│    │ │  └[+] ClientRouteMonitoringOptions: ClientRouteMonitoringOptions
│    │ └ types
│    │    └[+] type ClientRouteMonitoringOptions
│    │      ├  name: ClientRouteMonitoringOptions
│    │      └ properties
│    │         └Enabled: boolean
│    ├[~] resource AWS::EC2::EC2Fleet
│    │ └ types
│    │    └[~] type InstanceRequirementsRequest
│    │      └ properties
│    │         ├ OnDemandMaxPricePercentageOverLowestPrice: (documentation changed)
│    │         └ SpotMaxPricePercentageOverLowestPrice: (documentation changed)
│    ├[~] resource AWS::EC2::Instance
│    │ └ types
│    │    ├[~] type ElasticGpuSpecification
│    │    │ └  - documentation: Specifies the type of Elastic GPU. An Elastic GPU is a GPU resource that you can attach to your Amazon EC2 instance to accelerate the graphics performance of your applications. For more information, see [Amazon EC2 Elastic GPUs](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/elastic-graphics.html) in the *Amazon EC2 User Guide for Windows Instances* .
│    │    │    `ElasticGpuSpecification` is a property of the [AWS::EC2::Instance](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance.html) resource.
│    │    │    + documentation: > Amazon Elastic Graphics reached end of life on January 8, 2024. For workloads that require graphics acceleration, we recommend that you use Amazon EC2 G4ad, G4dn, or G5 instances. 
│    │    │    Specifies the type of Elastic GPU. An Elastic GPU is a GPU resource that you can attach to your Amazon EC2 instance to accelerate the graphics performance of your applications. For more information, see [Amazon EC2 Elastic GPUs](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/elastic-graphics.html) in the *Amazon EC2 User Guide for Windows Instances* .
│    │    │    `ElasticGpuSpecification` is a property of the [AWS::EC2::Instance](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance.html) resource.
│    │    └[~] type NetworkInterface
│    │      └ properties
│    │         └ AssociatePublicIpAddress: (documentation changed)
│    ├[~] resource AWS::EC2::LaunchTemplate
│    │ └ types
│    │    ├[~] type ElasticGpuSpecification
│    │    │ └  - documentation: Specifies a specification for an Elastic GPU for an Amazon EC2 launch template.
│    │    │    `ElasticGpuSpecification` is a property of [AWS::EC2::LaunchTemplate LaunchTemplateData](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-launchtemplate-launchtemplatedata.html) .
│    │    │    + documentation: > Amazon Elastic Graphics reached end of life on January 8, 2024. For workloads that require graphics acceleration, we recommend that you use Amazon EC2 G4ad, G4dn, or G5 instances. 
│    │    │    Specifies a specification for an Elastic GPU for an Amazon EC2 launch template.
│    │    │    `ElasticGpuSpecification` is a property of [AWS::EC2::LaunchTemplate LaunchTemplateData](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-launchtemplate-launchtemplatedata.html) .
│    │    ├[~] type InstanceRequirements
│    │    │ └ properties
│    │    │    ├[+] MaxSpotPriceAsPercentageOfOptimalOnDemandPrice: integer
│    │    │    ├ OnDemandMaxPricePercentageOverLowestPrice: (documentation changed)
│    │    │    └ SpotMaxPricePercentageOverLowestPrice: (documentation changed)
│    │    └[~] type NetworkInterface
│    │      └ properties
│    │         └ AssociatePublicIpAddress: (documentation changed)
│    ├[~] resource AWS::EC2::SecurityGroupIngress
│    │ └ attributes
│    │    └ Id: (documentation changed)
│    ├[~] resource AWS::EC2::SpotFleet
│    │ └ types
│    │    ├[~] type InstanceNetworkInterfaceSpecification
│    │    │ └ properties
│    │    │    └ AssociatePublicIpAddress: (documentation changed)
│    │    └[~] type InstanceRequirementsRequest
│    │      └ properties
│    │         ├ OnDemandMaxPricePercentageOverLowestPrice: (documentation changed)
│    │         └ SpotMaxPricePercentageOverLowestPrice: (documentation changed)
│    └[~] resource AWS::EC2::Subnet
│      └ properties
│         └ MapPublicIpOnLaunch: (documentation changed)
├[~] service aws-ecs
│ └ resources
│    ├[~] resource AWS::ECS::Service
│    │ └ types
│    │    └[~] type LoadBalancer
│    │      └ properties
│    │         └ ContainerName: (documentation changed)
│    ├[~] resource AWS::ECS::TaskDefinition
│    │ └ types
│    │    ├[~] type ContainerDefinition
│    │    │ └ properties
│    │    │    ├[+] CredentialSpecs: Array<string>
│    │    │    └ SystemControls: (documentation changed)
│    │    ├[~] type EphemeralStorage
│    │    │ └  - documentation: The amount of ephemeral storage to allocate for the task. This parameter is used to expand the total amount of ephemeral storage available, beyond the default amount, for tasks hosted on AWS Fargate . For more information, see [Fargate task storage](https://docs.aws.amazon.com/AmazonECS/latest/userguide/using_data_volumes.html) in the *Amazon ECS User Guide for AWS Fargate* .
│    │    │    > For tasks using the Fargate launch type, the task requires the following platforms:
│    │    │    > 
│    │    │    > - Linux platform version `1.4.0` or later.
│    │    │    > - Windows platform version `1.0.0` or later.
│    │    │    + documentation: The amount of ephemeral storage to allocate for the task. This parameter is used to expand the total amount of ephemeral storage available, beyond the default amount, for tasks hosted on AWS Fargate . For more information, see [Using data volumes in tasks](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/using_data_volumes.html) in the *Amazon ECS Developer Guide;* .
│    │    │    > For tasks using the Fargate launch type, the task requires the following platforms:
│    │    │    > 
│    │    │    > - Linux platform version `1.4.0` or later.
│    │    │    > - Windows platform version `1.0.0` or later.
│    │    └[~] type SystemControl
│    │      └  - documentation: A list of namespaced kernel parameters to set in the container. This parameter maps to `Sysctls` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/) and the `--sysctl` option to [docker run](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/#security-configuration) .
│    │         We don't recommend that you specify network-related `systemControls` parameters for multiple containers in a single task. This task also uses either the `awsvpc` or `host` network mode. It does it for the following reasons.
│    │         - For tasks that use the `awsvpc` network mode, if you set `systemControls` for any container, it applies to all containers in the task. If you set different `systemControls` for multiple containers in a single task, the container that's started last determines which `systemControls` take effect.
│    │         - For tasks that use the `host` network mode, the `systemControls` parameter applies to the container instance's kernel parameter and that of all containers of any tasks running on that container instance.
│    │         + documentation: A list of namespaced kernel parameters to set in the container. This parameter maps to `Sysctls` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/) and the `--sysctl` option to [docker run](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/#security-configuration) . For example, you can configure `net.ipv4.tcp_keepalive_time` setting to maintain longer lived connections.
│    │         We don't recommend that you specify network-related `systemControls` parameters for multiple containers in a single task that also uses either the `awsvpc` or `host` network mode. Doing this has the following disadvantages:
│    │         - For tasks that use the `awsvpc` network mode including Fargate, if you set `systemControls` for any container, it applies to all containers in the task. If you set different `systemControls` for multiple containers in a single task, the container that's started last determines which `systemControls` take effect.
│    │         - For tasks that use the `host` network mode, the network namespace `systemControls` aren't supported.
│    │         If you're setting an IPC resource namespace to use for the containers in the task, the following conditions apply to your system controls. For more information, see [IPC mode](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#task_definition_ipcmode) .
│    │         - For tasks that use the `host` IPC mode, IPC namespace `systemControls` aren't supported.
│    │         - For tasks that use the `task` IPC mode, IPC namespace `systemControls` values apply to all containers within a task.
│    │         > This parameter is not supported for Windows containers. > This parameter is only supported for tasks that are hosted on AWS Fargate if the tasks are using platform version `1.4.0` or later (Linux). This isn't supported for Windows containers on Fargate.
│    └[~] resource AWS::ECS::TaskSet
│      └ types
│         └[~] type LoadBalancer
│           └ properties
│              └ ContainerName: (documentation changed)
├[~] service aws-efs
│ └ resources
│    └[~] resource AWS::EFS::FileSystem
│      └ properties
│         └ PerformanceMode: (documentation changed)
├[~] service aws-elasticloadbalancingv2
│ └ resources
│    ├[~] resource AWS::ElasticLoadBalancingV2::LoadBalancer
│    │ └ properties
│    │    ├ SubnetMappings: (documentation changed)
│    │    └ Subnets: (documentation changed)
│    └[~] resource AWS::ElasticLoadBalancingV2::TargetGroup
│      └ types
│         └[~] type TargetGroupAttribute
│           └ properties
│              └ Key: (documentation changed)
├[~] service aws-glue
│ └ resources
│    └[+] resource AWS::Glue::TableOptimizer
│      ├  name: TableOptimizer
│      │  cloudFormationType: AWS::Glue::TableOptimizer
│      │  documentation: Resource Type definition for AWS::Glue::TableOptimizer
│      ├ properties
│      │  ├DatabaseName: string (required, immutable)
│      │  ├TableName: string (required, immutable)
│      │  ├Type: string (required, immutable)
│      │  ├TableOptimizerConfiguration: TableOptimizerConfiguration (required)
│      │  └CatalogId: string (required, immutable)
│      ├ attributes
│      │  └Id: string
│      └ types
│         └type TableOptimizerConfiguration
│          ├  name: TableOptimizerConfiguration
│          └ properties
│             ├Enabled: boolean
│             └RoleArn: string
├[~] service aws-guardduty
│ └ resources
│    └[~] resource AWS::GuardDuty::Filter
│      └ attributes
│         └[-] Id: string
├[~] service aws-inspectorv2
│ └ resources
│    └[+] resource AWS::InspectorV2::CisScanConfiguration
│      ├  name: CisScanConfiguration
│      │  cloudFormationType: AWS::InspectorV2::CisScanConfiguration
│      │  documentation: The CIS scan configuration.
│      │  tagInformation: {"tagPropertyName":"Tags","variant":"map"}
│      ├ properties
│      │  ├ScanName: string
│      │  ├SecurityLevel: string
│      │  ├Schedule: Schedule
│      │  ├Targets: CisTargets
│      │  └Tags: Map<string, string>
│      ├ attributes
│      │  └Arn: string
│      └ types
│         ├type Schedule
│         │├  documentation: The schedule the CIS scan configuration runs on. Each CIS scan configuration has exactly one type of schedule.
│         ││  name: Schedule
│         │└ properties
│         │   ├OneTime: json
│         │   ├Daily: DailySchedule
│         │   ├Weekly: WeeklySchedule
│         │   └Monthly: MonthlySchedule
│         ├type DailySchedule
│         │├  documentation: A daily schedule.
│         ││  name: DailySchedule
│         │└ properties
│         │   └StartTime: Time (required)
│         ├type Time
│         │├  documentation: The time.
│         ││  name: Time
│         │└ properties
│         │   ├TimeOfDay: string (required)
│         │   └TimeZone: string (required)
│         ├type WeeklySchedule
│         │├  documentation: A weekly schedule.
│         ││  name: WeeklySchedule
│         │└ properties
│         │   ├StartTime: Time (required)
│         │   └Days: Array<string> (required)
│         ├type MonthlySchedule
│         │├  documentation: A monthly schedule.
│         ││  name: MonthlySchedule
│         │└ properties
│         │   ├StartTime: Time (required)
│         │   └Day: string (required)
│         └type CisTargets
│          ├  documentation: The CIS targets.
│          │  name: CisTargets
│          └ properties
│             ├AccountIds: Array<string> (required)
│             └TargetResourceTags: Map<string, Array<string>>
├[~] service aws-internetmonitor
│ └ resources
│    └[~] resource AWS::InternetMonitor::Monitor
│      └ types
│         ├[~] type InternetMeasurementsLogDelivery
│         │ └ properties
│         │    └ S3Config: (documentation changed)
│         └[~] type S3Config
│           ├  - documentation: The configuration for publishing Amazon CloudWatch Internet Monitor internet measurements to Amazon S3. The configuration includes the bucket name and (optionally) bucket prefix for the S3 bucket to store the measurements, and the delivery status. The delivery status is `ENABLED` if you choose to deliver internet measurements to S3 logs, and `DISABLED` otherwise.
│           │  The measurements are also published to Amazon CloudWatch Logs.
│           │  + documentation: The configuration for publishing Amazon CloudWatch Internet Monitor internet measurements to Amazon S3. The configuration includes the bucket name and (optionally) prefix for the S3 bucket to store the measurements, and the delivery status. The delivery status is `ENABLED` or `DISABLED` , depending on whether you choose to deliver internet measurements to S3 logs.
│           └ properties
│              ├ BucketName: (documentation changed)
│              ├ BucketPrefix: (documentation changed)
│              └ LogDeliveryStatus: (documentation changed)
├[~] service aws-iot
│ └ resources
│    └[~] resource AWS::IoT::DomainConfiguration
│      ├ properties
│      │  └[+] ServerCertificateConfig: ServerCertificateConfig
│      └ types
│         └[+] type ServerCertificateConfig
│           ├  name: ServerCertificateConfig
│           └ properties
│              └EnableOCSPCheck: boolean
├[~] service aws-iotwireless
│ └ resources
│    ├[~] resource AWS::IoTWireless::PartnerAccount
│    │ └ properties
│    │    └ SidewalkResponse: (documentation changed)
│    └[~] resource AWS::IoTWireless::WirelessDevice
│      └ types
│         ├[~] type AbpV10x
│         │ ├  - documentation: undefined
│         │ │  + documentation: ABP device object for LoRaWAN specification v1.0.x
│         │ └ properties
│         │    ├ DevAddr: (documentation changed)
│         │    └ SessionKeys: (documentation changed)
│         ├[~] type LoRaWANDevice
│         │ └ properties
│         │    └ AbpV10x: (documentation changed)
│         ├[~] type OtaaV10x
│         │ └ properties
│         │    ├ AppEui: (documentation changed)
│         │    └ AppKey: (documentation changed)
│         └[~] type SessionKeysAbpV10x
│           ├  - documentation: undefined
│           │  + documentation: Session keys for ABP v1.0.x.
│           └ properties
│              ├ AppSKey: (documentation changed)
│              └ NwkSKey: (documentation changed)
├[~] service aws-lambda
│ └ resources
│    ├[~] resource AWS::Lambda::EventInvokeConfig
│    │ └ types
│    │    └[~] type OnFailure
│    │      └ properties
│    │         └ Destination: (documentation changed)
│    └[~] resource AWS::Lambda::EventSourceMapping
│      ├ properties
│      │  └ DestinationConfig: (documentation changed)
│      └ types
│         └[~] type OnFailure
│           └ properties
│              └ Destination: (documentation changed)
├[~] service aws-location
│ └ resources
│    └[~] resource AWS::Location::Map
│      └ types
│         └[~] type MapConfiguration
│           └ properties
│              └ CustomLayers: (documentation changed)
├[~] service aws-logs
│ └ resources
│    ├[~] resource AWS::Logs::AccountPolicy
│    │ └  - documentation: Creates or updates an aaccount-level data protection policy or subscription filter policy that applies to all log groups or a subset of log groups in the account.
│    │    *Data protection policy*
│    │    A data protection policy can help safeguard sensitive data that's ingested by your log groups by auditing and masking the sensitive log data. Each account can have only one account-level data protection policy.
│    │    > Sensitive data is detected and masked when it is ingested into a log group. When you set a data protection policy, log events ingested into the log groups before that time are not masked. 
│    │    If you create a data protection policy for your whole account, it applies to both existing log groups and all log groups that are created later in this account. The account policy is applied to existing log groups with eventual consistency. It might take up to 5 minutes before sensitive data in existing log groups begins to be masked.
│    │    By default, when a user views a log event that includes masked data, the sensitive data is replaced by asterisks. A user who has the `logs:Unmask` permission can use a [GetLogEvents](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_GetLogEvents.html) or [FilterLogEvents](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_FilterLogEvents.html) operation with the `unmask` parameter set to `true` to view the unmasked log events. Users with the `logs:Unmask` can also view unmasked data in the CloudWatch Logs console by running a CloudWatch Logs Insights query with the `unmask` query command.
│    │    For more information, including a list of types of data that can be audited and masked, see [Protect sensitive log data with masking](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/mask-sensitive-log-data.html) .
│    │    To create an account-level policy, you must be signed on with the `logs:PutDataProtectionPolicy` and `logs:PutAccountPolicy` permissions.
│    │    An account-level policy applies to all log groups in the account. You can also create a data protection policy that applies to just one log group. If a log group has its own data protection policy and the account also has an account-level data protection policy, then the two policies are cumulative. Any sensitive term specified in either policy is masked.
│    │    *Subscription filter policy*
│    │    A subscription filter policy sets up a real-time feed of log events from CloudWatch Logs to other AWS services. Account-level subscription filter policies apply to both existing log groups and log groups that are created later in this account. Supported destinations are Kinesis Data Streams , Kinesis Data Firehose , and Lambda . When log events are sent to the receiving service, they are Base64 encoded and compressed with the GZIP format.
│    │    The following destinations are supported for subscription filters:
│    │    - An Kinesis Data Streams data stream in the same account as the subscription policy, for same-account delivery.
│    │    - An Kinesis Data Firehose data stream in the same account as the subscription policy, for same-account delivery.
│    │    - A Lambda function in the same account as the subscription policy, for same-account delivery.
│    │    - A logical destination in a different account created with [PutDestination](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDestination.html) , for cross-account delivery. Kinesis Data Streams and Kinesis Data Firehose are supported as logical destinations.
│    │    Each account can have one account-level subscription filter policy. If you are updating an existing filter, you must specify the correct name in `PolicyName` . To perform a `PutAccountPolicy` subscription filter operation for any destination except a Lambda function, you must also have the `iam:PassRole` permission.
│    │    + documentation: Creates or updates an account-level data protection policy or subscription filter policy that applies to all log groups or a subset of log groups in the account.
│    │    *Data protection policy*
│    │    A data protection policy can help safeguard sensitive data that's ingested by your log groups by auditing and masking the sensitive log data. Each account can have only one account-level data protection policy.
│    │    > Sensitive data is detected and masked when it is ingested into a log group. When you set a data protection policy, log events ingested into the log groups before that time are not masked. 
│    │    If you create a data protection policy for your whole account, it applies to both existing log groups and all log groups that are created later in this account. The account policy is applied to existing log groups with eventual consistency. It might take up to 5 minutes before sensitive data in existing log groups begins to be masked.
│    │    By default, when a user views a log event that includes masked data, the sensitive data is replaced by asterisks. A user who has the `logs:Unmask` permission can use a [GetLogEvents](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_GetLogEvents.html) or [FilterLogEvents](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_FilterLogEvents.html) operation with the `unmask` parameter set to `true` to view the unmasked log events. Users with the `logs:Unmask` can also view unmasked data in the CloudWatch Logs console by running a CloudWatch Logs Insights query with the `unmask` query command.
│    │    For more information, including a list of types of data that can be audited and masked, see [Protect sensitive log data with masking](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/mask-sensitive-log-data.html) .
│    │    To create an account-level policy, you must be signed on with the `logs:PutDataProtectionPolicy` and `logs:PutAccountPolicy` permissions.
│    │    An account-level policy applies to all log groups in the account. You can also create a data protection policy that applies to just one log group. If a log group has its own data protection policy and the account also has an account-level data protection policy, then the two policies are cumulative. Any sensitive term specified in either policy is masked.
│    │    *Subscription filter policy*
│    │    A subscription filter policy sets up a real-time feed of log events from CloudWatch Logs to other AWS services. Account-level subscription filter policies apply to both existing log groups and log groups that are created later in this account. Supported destinations are Kinesis Data Streams , Kinesis Data Firehose , and Lambda . When log events are sent to the receiving service, they are Base64 encoded and compressed with the GZIP format.
│    │    The following destinations are supported for subscription filters:
│    │    - An Kinesis Data Streams data stream in the same account as the subscription policy, for same-account delivery.
│    │    - An Kinesis Data Firehose data stream in the same account as the subscription policy, for same-account delivery.
│    │    - A Lambda function in the same account as the subscription policy, for same-account delivery.
│    │    - A logical destination in a different account created with [PutDestination](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDestination.html) , for cross-account delivery. Kinesis Data Streams and Kinesis Data Firehose are supported as logical destinations.
│    │    Each account can have one account-level subscription filter policy. If you are updating an existing filter, you must specify the correct name in `PolicyName` . To perform a `PutAccountPolicy` subscription filter operation for any destination except a Lambda function, you must also have the `iam:PassRole` permission.
│    └[~] resource AWS::Logs::QueryDefinition
│      └ properties
│         └ Name: (documentation changed)
├[~] service aws-networkmanager
│ └ resources
│    └[~] resource AWS::NetworkManager::Device
│      └ attributes
│         └ CreatedAt: (documentation changed)
├[~] service aws-opensearchserverless
│ └ resources
│    └[~] resource AWS::OpenSearchServerless::Collection
│      └ properties
│         └ StandbyReplicas: (documentation changed)
├[~] service aws-osis
│ └ resources
│    └[~] resource AWS::OSIS::Pipeline
│      ├ properties
│      │  ├ BufferOptions: (documentation changed)
│      │  └ EncryptionAtRestOptions: (documentation changed)
│      └ types
│         ├[~] type BufferOptions
│         │ └  - documentation: Options that specify the configuration of a persistent buffer. To configure how OpenSearch Ingestion encrypts this data, set the EncryptionAtRestOptions.
│         │    + documentation: Options that specify the configuration of a persistent buffer. To configure how OpenSearch Ingestion encrypts this data, set the `EncryptionAtRestOptions` . For more information, see [Persistent buffering](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/osis-features-overview.html#persistent-buffering) .
│         ├[~] type CloudWatchLogDestination
│         │ └ properties
│         │    └ LogGroup: (documentation changed)
│         └[~] type EncryptionAtRestOptions
│           ├  - documentation: Options to control how OpenSearch encrypts all data-at-rest.
│           │  + documentation: Options to control how OpenSearch encrypts buffer data.
│           └ properties
│              └ KmsKeyArn: (documentation changed)
├[~] service aws-personalize
│ └ resources
│    └[~] resource AWS::Personalize::Solution
│      └  - documentation: An object that provides information about a solution. A solution is a trained model that can be deployed as a campaign.
│         + documentation: An object that provides information about a solution. A solution includes the custom recipe, customized parameters, and trained models (Solution Versions) that Amazon Personalize uses to generate recommendations.
├[~] service aws-pinpoint
│ └ resources
│    └[~] resource AWS::Pinpoint::EventStream
│      └ properties
│         └ DestinationStreamArn: (documentation changed)
├[~] service aws-rds
│ └ resources
│    ├[~] resource AWS::RDS::DBCluster
│    │ ├ properties
│    │ │  ├ ScalingConfiguration: (documentation changed)
│    │ │  └ ServerlessV2ScalingConfiguration: (documentation changed)
│    │ └ types
│    │    ├[~] type ScalingConfiguration
│    │    │ └  - documentation: The `ScalingConfiguration` property type specifies the scaling configuration of an Aurora Serverless DB cluster.
│    │    │    For more information, see [Using Amazon Aurora Serverless](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-serverless.html) in the *Amazon Aurora User Guide* .
│    │    │    This property is only supported for Aurora Serverless v1. For Aurora Serverless v2, use `ServerlessV2ScalingConfiguration` property.
│    │    │    Valid for: Aurora DB clusters only
│    │    │    + documentation: The `ScalingConfiguration` property type specifies the scaling configuration of an Aurora Serverless DB cluster.
│    │    │    For more information, see [Using Amazon Aurora Serverless](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-serverless.html) in the *Amazon Aurora User Guide* .
│    │    │    This property is only supported for Aurora Serverless v1. For Aurora Serverless v2, Use the `ServerlessV2ScalingConfiguration` property.
│    │    │    Valid for: Aurora DB clusters only
│    │    └[~] type ServerlessV2ScalingConfiguration
│    │      └  - documentation: The `ServerlessV2ScalingConfiguration` property type specifies the scaling configuration of an Aurora Serverless V2 DB cluster.
│    │         For more information, see [Using Amazon Aurora Serverless v2](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-serverless-v2.html) in the *Amazon Aurora User Guide* .
│    │         If you have an Aurora cluster, you must set the `ScalingConfigurationInfo` attribute before you add a DB instance that uses the `db.serverless` DB instance class. For more information, see [Clusters that use Aurora Serverless v2 must have a capacity range specified](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-serverless-v2.requirements.html#aurora-serverless-v2.requirements.capacity-range) in the *Amazon Aurora User Guide* .
│    │         This property is only supported for Aurora Serverless v2. For Aurora Serverless v1, use `ScalingConfiguration` property.
│    │         + documentation: The `ServerlessV2ScalingConfiguration` property type specifies the scaling configuration of an Aurora Serverless V2 DB cluster.
│    │         For more information, see [Using Amazon Aurora Serverless v2](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-serverless-v2.html) in the *Amazon Aurora User Guide* .
│    │         If you have an Aurora cluster, you must set the `ScalingConfigurationInfo` attribute before you add a DB instance that uses the `db.serverless` DB instance class. For more information, see [Clusters that use Aurora Serverless v2 must have a capacity range specified](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-serverless-v2.requirements.html#aurora-serverless-v2.requirements.capacity-range) in the *Amazon Aurora User Guide* .
│    │         This property is only supported for Aurora Serverless v2. For Aurora Serverless v1, Use the `ScalingConfiguration` property.
│    └[+] resource AWS::RDS::Integration
│      ├  name: Integration
│      │  cloudFormationType: AWS::RDS::Integration
│      │  documentation: A zero-ETL integration with Amazon Redshift.
│      │  tagInformation: {"tagPropertyName":"Tags","variant":"standard"}
│      ├ properties
│      │  ├IntegrationName: string (immutable)
│      │  ├Tags: Array<tag>
│      │  ├SourceArn: string (required, immutable)
│      │  ├TargetArn: string (required, immutable)
│      │  ├KMSKeyId: string (immutable)
│      │  └AdditionalEncryptionContext: Map<string, string> (immutable)
│      └ attributes
│         ├IntegrationArn: string
│         └CreateTime: string
├[~] service aws-redshiftserverless
│ └ resources
│    ├[~] resource AWS::RedshiftServerless::Namespace
│    │ ├ properties
│    │ │  ├[+] AdminPasswordSecretKmsKeyId: string
│    │ │  ├[+] ManageAdminPassword: boolean
│    │ │  ├[+] NamespaceResourcePolicy: json
│    │ │  └[+] RedshiftIdcApplicationArn: string
│    │ └ types
│    │    └[~] type Namespace
│    │      └ properties
│    │         ├[+] AdminPasswordSecretArn: string
│    │         └[+] AdminPasswordSecretKmsKeyId: string
│    └[~] resource AWS::RedshiftServerless::Workgroup
│      ├ properties
│      │  └[+] MaxCapacity: integer
│      ├ attributes
│      │  └[+] Workgroup.MaxCapacity: integer
│      └ types
│         └[~] type Workgroup
│           └ properties
│              └[+] MaxCapacity: integer
├[~] service aws-route53
│ └ resources
│    └[~] resource AWS::Route53::RecordSetGroup
│      └ attributes
│         └ Id: (documentation changed)
├[~] service aws-sagemaker
│ └ resources
│    ├[~] resource AWS::SageMaker::AppImageConfig
│    │ ├  - documentation: Creates a configuration for running a SageMaker image as a KernelGateway app. The configuration specifies the Amazon Elastic File System (EFS) storage volume on the image, and a list of the kernels in the image.
│    │ │  + documentation: Creates a configuration for running a SageMaker image as a KernelGateway app. The configuration specifies the Amazon Elastic File System storage volume on the image, and a list of the kernels in the image.
│    │ ├ properties
│    │ │  └[+] JupyterLabAppImageConfig: JupyterLabAppImageConfig
│    │ └ types
│    │    ├[+] type ContainerConfig
│    │    │ ├  documentation: The configuration used to run the application image container.
│    │    │ │  name: ContainerConfig
│    │    │ └ properties
│    │    │    ├ContainerArguments: Array<string>
│    │    │    ├ContainerEntrypoint: Array<string>
│    │    │    └ContainerEnvironmentVariables: Array<CustomImageContainerEnvironmentVariable>
│    │    ├[+] type CustomImageContainerEnvironmentVariable
│    │    │ ├  documentation: The environment variables to set in the container
│    │    │ │  name: CustomImageContainerEnvironmentVariable
│    │    │ └ properties
│    │    │    ├Value: string (required)
│    │    │    └Key: string (required)
│    │    ├[~] type FileSystemConfig
│    │    │ └  - documentation: The Amazon Elastic File System (EFS) storage configuration for a SageMaker image.
│    │    │    + documentation: The Amazon Elastic File System storage configuration for a SageMaker image.
│    │    ├[+] type JupyterLabAppImageConfig
│    │    │ ├  documentation: The configuration for the file system and kernels in a SageMaker image running as a JupyterLab app.
│    │    │ │  name: JupyterLabAppImageConfig
│    │    │ └ properties
│    │    │    └ContainerConfig: ContainerConfig
│    │    └[~] type KernelGatewayImageConfig
│    │      └ properties
│    │         └ FileSystemConfig: (documentation changed)
│    ├[~] resource AWS::SageMaker::Domain
│    │ ├  - documentation: Creates a `Domain` . A domain consists of an associated Amazon Elastic File System (EFS) volume, a list of authorized users, and a variety of security, application, policy, and Amazon Virtual Private Cloud (VPC) configurations. Users within a domain can share notebook files and other artifacts with each other.
│    │ │  *EFS storage*
│    │ │  When a domain is created, an EFS volume is created for use by all of the users within the domain. Each user receives a private home directory within the EFS volume for notebooks, Git repositories, and data files.
│    │ │  SageMaker uses the AWS Key Management Service ( AWS KMS) to encrypt the EFS volume attached to the domain with an AWS managed key by default. For more control, you can specify a customer managed key. For more information, see [Protect Data at Rest Using Encryption](https://docs.aws.amazon.com/sagemaker/latest/dg/encryption-at-rest.html) .
│    │ │  *VPC configuration*
│    │ │  All traffic between the domain and the EFS volume is through the specified VPC and subnets. For other traffic, you can specify the `AppNetworkAccessType` parameter. `AppNetworkAccessType` corresponds to the network access type that you choose when you onboard to the domain. The following options are available:
│    │ │  - `PublicInternetOnly` - Non-EFS traffic goes through a VPC managed by Amazon SageMaker, which allows internet access. This is the default value.
│    │ │  - `VpcOnly` - All traffic is through the specified VPC and subnets. Internet access is disabled by default. To allow internet access, you must specify a NAT gateway.
│    │ │  When internet access is disabled, you won't be able to run a Amazon SageMaker Studio notebook or to train or host models unless your VPC has an interface endpoint to the SageMaker API and runtime or a NAT gateway and your security groups allow outbound connections.
│    │ │  > NFS traffic over TCP on port 2049 needs to be allowed in both inbound and outbound rules in order to launch a Amazon SageMaker Studio app successfully. 
│    │ │  For more information, see [Connect Amazon SageMaker Studio Notebooks to Resources in a VPC](https://docs.aws.amazon.com/sagemaker/latest/dg/studio-notebooks-and-internet-access.html) .
│    │ │  + documentation: Creates a `Domain` . A domain consists of an associated Amazon Elastic File System volume, a list of authorized users, and a variety of security, application, policy, and Amazon Virtu

Updates the L1 CloudFormation resource definitions with the latest changes from `@aws-cdk/aws-service-spec`
@aws-cdk-automation aws-cdk-automation added auto-approve contribution/core This is a PR that came from AWS. dependencies This issue is a problem in a dependency or a pull request that updates a dependency file. pr-linter/exempt-readme The PR linter will not require README changes pr-linter/exempt-test The PR linter will not require test changes pr-linter/exempt-integ-test The PR linter will not require integ test changes labels Feb 9, 2024
@aws-cdk-automation aws-cdk-automation requested review from a team February 9, 2024 18:30
@github-actions github-actions bot added the p2 label Feb 9, 2024
@aws-cdk-automation
Copy link
Collaborator Author

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: e38ff0c
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
auto-approve contribution/core This is a PR that came from AWS. dependencies This issue is a problem in a dependency or a pull request that updates a dependency file. p2 pr-linter/exempt-integ-test The PR linter will not require integ test changes pr-linter/exempt-readme The PR linter will not require README changes pr-linter/exempt-test The PR linter will not require test changes
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants