diff --git a/.cfnlintrc.yaml b/.cfnlintrc.yaml index 23172d0767..55be3cc2ea 100644 --- a/.cfnlintrc.yaml +++ b/.cfnlintrc.yaml @@ -139,6 +139,8 @@ ignore_templates: - tests/translator/output/**/managed_policies_everything.json # intentionally contains wrong arns - tests/translator/output/**/function_with_provisioned_poller_config.json - tests/translator/output/**/function_with_metrics_config.json + - tests/translator/output/**/function_with_self_managed_kafka_and_schema_registry.json # cfnlint is not updated to recognize the SchemaRegistryConfig property + - tests/translator/output/**/function_with_msk_with_schema_registry_config.json # cfnlint is not updated to recognize the SchemaRegistryConfig property ignore_checks: - E2531 # Deprecated runtime; not relevant for transform tests diff --git a/integration/combination/test_function_with_msk.py b/integration/combination/test_function_with_msk.py index 5a9f7b0d5c..472a128f4e 100644 --- a/integration/combination/test_function_with_msk.py +++ b/integration/combination/test_function_with_msk.py @@ -41,6 +41,15 @@ def test_function_with_msk_trigger_and_s3_onfailure_events_destinations(self): "combination/function_with_msk_trigger_and_s3_onfailure_events_destinations", parameters ) + def test_function_with_msk_trigger_and_confluent_schema_registry(self): + companion_stack_outputs = self.companion_stack_outputs + parameters = self.get_parameters(companion_stack_outputs) + cluster_name = "MskCluster4-" + generate_suffix() + parameters.append(self.generate_parameter("MskClusterName4", cluster_name)) + self._common_validations_for_MSK( + "combination/function_with_msk_trigger_and_confluent_schema_registry", parameters + ) + def _common_validations_for_MSK(self, file_name, parameters): self.create_and_verify_stack(file_name, parameters) diff --git a/integration/resources/expected/combination/function_with_msk_trigger_and_confluent_schema_registry.json b/integration/resources/expected/combination/function_with_msk_trigger_and_confluent_schema_registry.json new file mode 100644 index 0000000000..e45f42ea51 --- /dev/null +++ b/integration/resources/expected/combination/function_with_msk_trigger_and_confluent_schema_registry.json @@ -0,0 +1,22 @@ +[ + { + "LogicalResourceId": "MyMskStreamProcessor", + "ResourceType": "AWS::Lambda::Function" + }, + { + "LogicalResourceId": "MyLambdaExecutionRole", + "ResourceType": "AWS::IAM::Role" + }, + { + "LogicalResourceId": "MyMskCluster", + "ResourceType": "AWS::MSK::Cluster" + }, + { + "LogicalResourceId": "MyMskStreamProcessorMyMskEvent", + "ResourceType": "AWS::Lambda::EventSourceMapping" + }, + { + "LogicalResourceId": "PreCreatedS3Bucket", + "ResourceType": "AWS::S3::Bucket" + } +] diff --git a/integration/resources/templates/combination/function_with_mq.yaml b/integration/resources/templates/combination/function_with_mq.yaml index 7efeaae4b0..b8fc919862 100644 --- a/integration/resources/templates/combination/function_with_mq.yaml +++ b/integration/resources/templates/combination/function_with_mq.yaml @@ -112,13 +112,13 @@ Resources: Ref: MQBrokerName DeploymentMode: SINGLE_INSTANCE EngineType: ACTIVEMQ - EngineVersion: 5.17.6 + EngineVersion: 5.18 HostInstanceType: mq.t3.micro Logs: Audit: true General: true PubliclyAccessible: true - AutoMinorVersionUpgrade: false + AutoMinorVersionUpgrade: true SecurityGroups: - Ref: MQSecurityGroup SubnetIds: diff --git a/integration/resources/templates/combination/function_with_mq_using_autogen_role.yaml b/integration/resources/templates/combination/function_with_mq_using_autogen_role.yaml index 332a2943fe..ba15f1f418 100644 --- a/integration/resources/templates/combination/function_with_mq_using_autogen_role.yaml +++ b/integration/resources/templates/combination/function_with_mq_using_autogen_role.yaml @@ -84,13 +84,13 @@ Resources: Ref: MQBrokerName2 DeploymentMode: SINGLE_INSTANCE EngineType: ACTIVEMQ - EngineVersion: 5.17.6 + EngineVersion: 5.18 HostInstanceType: mq.t3.micro Logs: Audit: true General: true PubliclyAccessible: true - AutoMinorVersionUpgrade: false + AutoMinorVersionUpgrade: true SecurityGroups: - Ref: MQSecurityGroup SubnetIds: diff --git a/integration/resources/templates/combination/function_with_msk.yaml b/integration/resources/templates/combination/function_with_msk.yaml index 5f6eecca8c..6b72c36e16 100644 --- a/integration/resources/templates/combination/function_with_msk.yaml +++ b/integration/resources/templates/combination/function_with_msk.yaml @@ -45,7 +45,7 @@ Resources: VolumeSize: 1 ClusterName: Ref: MskClusterName - KafkaVersion: 2.4.1.1 + KafkaVersion: 3.8.x NumberOfBrokerNodes: 2 MyMskStreamProcessor: diff --git a/integration/resources/templates/combination/function_with_msk_trigger_and_confluent_schema_registry.yaml b/integration/resources/templates/combination/function_with_msk_trigger_and_confluent_schema_registry.yaml new file mode 100644 index 0000000000..dedc27203e --- /dev/null +++ b/integration/resources/templates/combination/function_with_msk_trigger_and_confluent_schema_registry.yaml @@ -0,0 +1,86 @@ +Parameters: + PreCreatedSubnetOne: + Type: String + PreCreatedSubnetTwo: + Type: String + MskClusterName4: + Type: String + +Resources: + MyLambdaExecutionRole: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Version: '2012-10-17' + Statement: + - Action: [sts:AssumeRole] + Effect: Allow + Principal: + Service: [lambda.amazonaws.com] + Policies: + - PolicyName: IntegrationTestExecution + PolicyDocument: + Statement: + - Action: [kafka:DescribeCluster, kafka:GetBootstrapBrokers, ec2:CreateNetworkInterface, + ec2:DescribeNetworkInterfaces, ec2:DescribeVpcs, ec2:DeleteNetworkInterface, + ec2:DescribeSubnets, ec2:DescribeSecurityGroups, logs:CreateLogGroup, + logs:CreateLogStream, logs:PutLogEvents, s3:ListBucket, kafka:DescribeClusterV2] + Effect: Allow + Resource: '*' + ManagedPolicyArns: + - !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole + Tags: + - {Value: SAM, Key: lambda:createdBy} + + MyMskCluster: + Type: AWS::MSK::Cluster + Properties: + BrokerNodeGroupInfo: + ClientSubnets: + - Ref: PreCreatedSubnetOne + - Ref: PreCreatedSubnetTwo + InstanceType: kafka.t3.small + StorageInfo: + EBSStorageInfo: + VolumeSize: 1 + ClusterName: + Ref: MskClusterName4 + KafkaVersion: 3.8.x + NumberOfBrokerNodes: 2 + + MyMskStreamProcessor: + Type: AWS::Serverless::Function + Properties: + Runtime: nodejs18.x + Handler: index.handler + CodeUri: ${codeuri} + Role: + Fn::GetAtt: [MyLambdaExecutionRole, Arn] + Events: + MyMskEvent: + Type: MSK + Properties: + StartingPosition: LATEST + Stream: + Ref: MyMskCluster + Topics: + - SchemaRegistryTestTopic + ProvisionedPollerConfig: + MinimumPollers: 1 + SchemaRegistryConfig: + AccessConfigs: + - Type: BASIC_AUTH + URI: !Sub arn:${AWS::Partition}:secretsmanager:us-west-2:123456789012:secret:my-path/my-secret-name-1a2b3c + SchemaValidationConfigs: + - Attribute: KEY + EventRecordFormat: JSON + SchemaRegistryURI: https://confluent.us-east-2.aws.confluent.cloud:9092 + + + + PreCreatedS3Bucket: + Type: AWS::S3::Bucket + DeletionPolicy: Delete + +Metadata: + SamTransformTest: true diff --git a/integration/resources/templates/combination/function_with_msk_trigger_and_s3_onfailure_events_destinations.yaml b/integration/resources/templates/combination/function_with_msk_trigger_and_s3_onfailure_events_destinations.yaml index 7ff0e13f2d..c449edbc4f 100644 --- a/integration/resources/templates/combination/function_with_msk_trigger_and_s3_onfailure_events_destinations.yaml +++ b/integration/resources/templates/combination/function_with_msk_trigger_and_s3_onfailure_events_destinations.yaml @@ -45,7 +45,7 @@ Resources: VolumeSize: 1 ClusterName: Ref: MskClusterName3 - KafkaVersion: 2.4.1.1 + KafkaVersion: 3.8.x NumberOfBrokerNodes: 2 MyMskStreamProcessor: diff --git a/integration/resources/templates/combination/function_with_msk_using_managed_policy.yaml b/integration/resources/templates/combination/function_with_msk_using_managed_policy.yaml index cb1186bfb4..05b0b3e54d 100644 --- a/integration/resources/templates/combination/function_with_msk_using_managed_policy.yaml +++ b/integration/resources/templates/combination/function_with_msk_using_managed_policy.yaml @@ -20,7 +20,7 @@ Resources: VolumeSize: 1 ClusterName: Ref: MskClusterName2 - KafkaVersion: 2.4.1.1 + KafkaVersion: 3.8.x NumberOfBrokerNodes: 2 MyMskStreamProcessor: diff --git a/requirements/base.txt b/requirements/base.txt index cbf14667d0..8a2c639cc6 100755 --- a/requirements/base.txt +++ b/requirements/base.txt @@ -1,4 +1,4 @@ -boto3>=1.19.5,==1.* +boto3>=1.34.0,<2.0.0 jsonschema<5,>=3.2 # TODO: evaluate risk of removing jsonschema 3.x support typing_extensions>=4.4 # 3.8 doesn't have Required, TypeGuard and ParamSpec diff --git a/requirements/dev.txt b/requirements/dev.txt index 5489cc5746..911e125a72 100644 --- a/requirements/dev.txt +++ b/requirements/dev.txt @@ -12,8 +12,8 @@ parameterized~=0.7 # Integration tests dateparser~=1.1 -boto3>=1.23,<2 -tenacity~=8.0 +boto3>=1.34.0,<2.0.0 +tenacity~=9.0 # Requirements for examples requests~=2.28 @@ -26,6 +26,9 @@ ruamel.yaml==0.17.21 # It can parse yaml while perserving comments mypy~=1.3.0 # types -boto3-stubs[appconfig,serverlessrepo]>=1.19.5,==1.* +boto3-stubs[appconfig,serverlessrepo]>=1.34.0,<2.0.0 types-PyYAML~=6.0 types-jsonschema~=3.2 + +# CloudFormation CLI tools +cloudformation-cli>=0.2.39,<0.3.0 diff --git a/samtranslator/__init__.py b/samtranslator/__init__.py index ff4f92b088..8e4d66c70f 100644 --- a/samtranslator/__init__.py +++ b/samtranslator/__init__.py @@ -1 +1 @@ -__version__ = "1.98.0" +__version__ = "1.99.0" diff --git a/samtranslator/internal/schema_source/aws_serverless_function.py b/samtranslator/internal/schema_source/aws_serverless_function.py index 4743e82f77..260d2eae7b 100644 --- a/samtranslator/internal/schema_source/aws_serverless_function.py +++ b/samtranslator/internal/schema_source/aws_serverless_function.py @@ -421,6 +421,7 @@ class MSKEventProperties(BaseModel): SourceAccessConfigurations: Optional[PassThroughProp] = mskeventproperties("SourceAccessConfigurations") DestinationConfig: Optional[PassThroughProp] # TODO: add documentation ProvisionedPollerConfig: Optional[PassThroughProp] + SchemaRegistryConfig: Optional[PassThroughProp] class MSKEvent(BaseModel): @@ -460,6 +461,7 @@ class SelfManagedKafkaEventProperties(BaseModel): StartingPositionTimestamp: Optional[PassThroughProp] # TODO: add documentation Topics: PassThroughProp = selfmanagedkafkaeventproperties("Topics") ProvisionedPollerConfig: Optional[PassThroughProp] + SchemaRegistryConfig: Optional[PassThroughProp] class SelfManagedKafkaEvent(BaseModel): diff --git a/samtranslator/model/cognito.py b/samtranslator/model/cognito.py index 9dc6772751..bb655b8577 100644 --- a/samtranslator/model/cognito.py +++ b/samtranslator/model/cognito.py @@ -11,6 +11,8 @@ class CognitoUserPool(Resource): "AutoVerifiedAttributes": GeneratedProperty(), "DeletionProtection": GeneratedProperty(), "DeviceConfiguration": GeneratedProperty(), + "EmailAuthenticationMessage": GeneratedProperty(), + "EmailAuthenticationSubject": GeneratedProperty(), "EmailConfiguration": GeneratedProperty(), "EmailVerificationMessage": GeneratedProperty(), "EmailVerificationSubject": GeneratedProperty(), @@ -28,7 +30,10 @@ class CognitoUserPool(Resource): "UserPoolAddOns": GeneratedProperty(), "UserPoolName": GeneratedProperty(), "UserPoolTags": GeneratedProperty(), + "UserPoolTier": GeneratedProperty(), "VerificationMessageTemplate": GeneratedProperty(), + "WebAuthnRelyingPartyID": GeneratedProperty(), + "WebAuthnUserVerification": GeneratedProperty(), } runtime_attrs = { diff --git a/samtranslator/model/eventsources/pull.py b/samtranslator/model/eventsources/pull.py index 37349506ac..5845865b72 100644 --- a/samtranslator/model/eventsources/pull.py +++ b/samtranslator/model/eventsources/pull.py @@ -2,6 +2,7 @@ from typing import Any, Dict, List, Optional, Tuple from samtranslator.internal.deprecation_control import deprecated +from samtranslator.intrinsics.resolver import IntrinsicsResolver from samtranslator.metrics.method_decorator import cw_timer from samtranslator.model import PassThroughProperty, Property, PropertyType, ResourceMacro from samtranslator.model.eventsources import FUNCTION_EVETSOURCE_METRIC_PREFIX @@ -25,6 +26,8 @@ class PullEventSource(ResourceMacro, metaclass=ABCMeta): :cvar str policy_arn: The ARN of the AWS managed role policy corresponding to this pull event source """ + ARN_SEGMENTS_COUNT = 6 + REGISTRY_SEGMENT_POS_IN_ARN = 5 # Event types that support `FilterCriteria`, stored as a list to keep the alphabetical order RESOURCE_TYPES_WITH_EVENT_FILTERING = ["DocumentDB", "DynamoDB", "Kinesis", "MQ", "MSK", "SelfManagedKafka", "SQS"] @@ -56,6 +59,7 @@ class PullEventSource(ResourceMacro, metaclass=ABCMeta): "ConsumerGroupId": PropertyType(False, IS_STR), "ScalingConfig": PropertyType(False, IS_DICT), "ProvisionedPollerConfig": PropertyType(False, IS_DICT), + "SchemaRegistryConfig": PropertyType(False, IS_DICT), "MetricsConfig": PropertyType(False, IS_DICT), } @@ -81,6 +85,7 @@ class PullEventSource(ResourceMacro, metaclass=ABCMeta): ConsumerGroupId: Optional[Intrinsicable[str]] ScalingConfig: Optional[Dict[str, Any]] ProvisionedPollerConfig: Optional[Dict[str, Any]] + SchemaRegistryConfig: Optional[Dict[str, Any]] MetricsConfig: Optional[Dict[str, Any]] @abstractmethod @@ -88,7 +93,9 @@ def get_policy_arn(self) -> Optional[str]: """Policy to be added to the role (if a role applies).""" @abstractmethod - def get_policy_statements(self) -> Optional[List[Dict[str, Any]]]: + def get_policy_statements( + self, intrinsic_resolver: Optional[IntrinsicsResolver] = None + ) -> Optional[List[Dict[str, Any]]]: """Inline policy statements to be added to the role (if a role applies).""" @abstractmethod @@ -113,6 +120,7 @@ def to_cloudformation(self, **kwargs): # type: ignore[no-untyped-def] # noqa: P :rtype: list """ function = kwargs.get("function") + intrinsic_resolver = kwargs.get("intrinsics_resolver") if not function: raise TypeError("Missing required keyword argument: function") @@ -168,7 +176,19 @@ def to_cloudformation(self, **kwargs): # type: ignore[no-untyped-def] # noqa: P self.logical_id, f"Property ConsumerGroupId not defined for resource of type {self.resource_type}.", ) - + if self.SchemaRegistryConfig: + if self.resource_type == "MSK": + if not lambda_eventsourcemapping.AmazonManagedKafkaEventSourceConfig: # type: ignore[attr-defined] + lambda_eventsourcemapping.AmazonManagedKafkaEventSourceConfig = {} + lambda_eventsourcemapping.AmazonManagedKafkaEventSourceConfig["SchemaRegistryConfig"] = ( # type: ignore[attr-defined] + self.SchemaRegistryConfig + ) + if self.resource_type == "SelfManagedKafka": + if not lambda_eventsourcemapping.SelfManagedKafkaEventSourceConfig: # type: ignore[attr-defined] + lambda_eventsourcemapping.SelfManagedKafkaEventSourceConfig = {} + lambda_eventsourcemapping.SelfManagedKafkaEventSourceConfig["SchemaRegistryConfig"] = ( # type: ignore[attr-defined] + self.SchemaRegistryConfig + ) destination_config_policy: Optional[Dict[str, Any]] = None if self.DestinationConfig: on_failure: Dict[str, Any] = sam_expect( @@ -211,18 +231,18 @@ def to_cloudformation(self, **kwargs): # type: ignore[no-untyped-def] # noqa: P self.add_extra_eventsourcemapping_fields(lambda_eventsourcemapping) if "role" in kwargs: - self._link_policy(kwargs["role"], destination_config_policy) # type: ignore[no-untyped-call] + self._link_policy(kwargs["role"], intrinsic_resolver, destination_config_policy) # type: ignore[no-untyped-call] return resources - def _link_policy(self, role, destination_config_policy=None): # type: ignore[no-untyped-def] + def _link_policy(self, role, intrinsic_resolver=None, destination_config_policy=None): # type: ignore[no-untyped-def] """If this source triggers a Lambda function whose execution role is auto-generated by SAM, add the appropriate managed policy to this Role. :param model.iam.IAMRole role: the execution role generated for the function """ policy_arn = self.get_policy_arn() - policy_statements = self.get_policy_statements() + policy_statements = self.get_policy_statements(intrinsic_resolver) if role is not None: if policy_arn is not None and policy_arn not in role.ManagedPolicyArns: role.ManagedPolicyArns.append(policy_arn) @@ -324,6 +344,99 @@ def _get_kms_decrypt_policy(secrets_manager_kms_key_id: str) -> Dict[str, Any]: }, } + def validate_schema_registry_config(self) -> None: + if not self.SchemaRegistryConfig: + return + + sam_expect(self.SchemaRegistryConfig, self.relative_id, "SchemaRegistryConfig", is_sam_event=True).to_be_a_map() + required_fields = ["SchemaRegistryURI", "EventRecordFormat", "SchemaValidationConfigs"] + for field in required_fields: + if field not in self.SchemaRegistryConfig: + raise InvalidEventException(self.relative_id, f"Missing required field {field} in SchemaRegistryConfig") + + event_record_format = self.SchemaRegistryConfig.get("EventRecordFormat") + if event_record_format not in ["JSON", "SOURCE"]: + raise InvalidEventException( + self.relative_id, "EventRecordFormat in SchemaRegistryConfig must be either 'JSON' or 'SOURCE'" + ) + + validation_configs = self.SchemaRegistryConfig.get("SchemaValidationConfigs") + if not isinstance(validation_configs, list): + raise InvalidEventException(self.relative_id, "SchemaValidationConfigs must be a list") + + access_configs = self.SchemaRegistryConfig.get("AccessConfigs", []) + if access_configs: + if not isinstance(access_configs, list): + raise InvalidEventException(self.relative_id, "AccessConfigs in SchemaRegistryConfig must be a list") + for config in access_configs: + if not isinstance(config, dict) or "Type" not in config or "URI" not in config: + raise InvalidEventException( + self.relative_id, "Each AccessConfig must be a dict with 'Type' and 'URI' fields" + ) + + def get_schema_registry_permissions( + self, intrinsic_resolver: Optional[IntrinsicsResolver] = None + ) -> Optional[List[Dict[str, Any]]]: + + if not self.SchemaRegistryConfig: + return None + + self.validate_schema_registry_config() + + statements = [] + + # Add permissions for AccessConfigs secrets if provided + access_configs = self.SchemaRegistryConfig.get("AccessConfigs", []) + for config in access_configs: + if isinstance(config, dict) and "URI" in config: + statements.append( + { + "Action": [ + "secretsmanager:GetSecretValue", + ], + "Effect": "Allow", + "Resource": config["URI"], + } + ) + + registry_uri = self.SchemaRegistryConfig.get("SchemaRegistryURI") + registry_arn = None + ## resolved_value is still going to be a dict if intrinsic functions are used. Otherwise, it'd be a string. + if isinstance(registry_uri, str): + registry_arn = registry_uri + elif isinstance(registry_uri, dict) and intrinsic_resolver is not None: + ## We can't handle other intrinsic functions in SAM. Don't pass original dictionary + + resolved_value = intrinsic_resolver.resolve_parameter_refs(registry_uri.copy()) + registry_arn = resolved_value.get("Fn::Sub") + + registry_name_optional = self.get_registry_name(str(registry_arn)) + if registry_name_optional is not None: + statements.append({"Action": ["glue:GetRegistry"], "Effect": "Allow", "Resource": registry_uri}) + statements.append( + { + "Action": ["glue:GetSchemaVersion"], + "Effect": "Allow", + "Resource": [ + { + "Fn::Sub": "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:schema/" + + registry_name_optional + + "/*" + }, + ], + } + ) + return statements + + def get_registry_name(self, registry_uri: str) -> Optional[str]: + if isinstance(registry_uri, str) and registry_uri.startswith("arn"): + parts = registry_uri.split(":") + if len(parts) >= PullEventSource.ARN_SEGMENTS_COUNT and parts[ + PullEventSource.REGISTRY_SEGMENT_POS_IN_ARN + ].startswith("registry/"): + return parts[PullEventSource.REGISTRY_SEGMENT_POS_IN_ARN][len("registry/") :] + return None + class Kinesis(PullEventSource): """Kinesis event source.""" @@ -343,7 +456,9 @@ def get_event_source_arn(self) -> Optional[PassThrough]: def get_policy_arn(self) -> Optional[str]: return ArnGenerator.generate_aws_managed_policy_arn("service-role/AWSLambdaKinesisExecutionRole") - def get_policy_statements(self) -> Optional[List[Dict[str, Any]]]: + def get_policy_statements( + self, intrinsic_resolver: Optional[IntrinsicsResolver] = None + ) -> Optional[List[Dict[str, Any]]]: return None @@ -365,7 +480,9 @@ def get_event_source_arn(self) -> Optional[PassThrough]: def get_policy_arn(self) -> Optional[str]: return ArnGenerator.generate_aws_managed_policy_arn("service-role/AWSLambdaDynamoDBExecutionRole") - def get_policy_statements(self) -> Optional[List[Dict[str, Any]]]: + def get_policy_statements( + self, intrinsic_resolver: Optional[IntrinsicsResolver] = None + ) -> Optional[List[Dict[str, Any]]]: return None @@ -386,7 +503,9 @@ def get_event_source_arn(self) -> Optional[PassThrough]: def get_policy_arn(self) -> Optional[str]: return ArnGenerator.generate_aws_managed_policy_arn("service-role/AWSLambdaSQSQueueExecutionRole") - def get_policy_statements(self) -> Optional[List[Dict[str, Any]]]: + def get_policy_statements( + self, intrinsic_resolver: Optional[IntrinsicsResolver] = None + ) -> Optional[List[Dict[str, Any]]]: return None @@ -408,29 +527,30 @@ def get_event_source_arn(self) -> Optional[PassThrough]: def get_policy_arn(self) -> Optional[str]: return ArnGenerator.generate_aws_managed_policy_arn("service-role/AWSLambdaMSKExecutionRole") - def get_policy_statements(self) -> Optional[List[Dict[str, Any]]]: + def get_policy_statements( + self, intrinsic_resolver: Optional[IntrinsicsResolver] = None + ) -> Optional[List[Dict[str, Any]]]: + statements: List[Dict[str, Any]] = [] + if self.SchemaRegistryConfig: + schema_registry_statements = self.get_schema_registry_permissions(intrinsic_resolver) + if schema_registry_statements is not None: + statements.extend(schema_registry_statements) if self.SourceAccessConfigurations: for conf in self.SourceAccessConfigurations: # Lambda does not support multiple CLIENT_CERTIFICATE_TLS_AUTH configurations if isinstance(conf, dict) and conf.get("Type") == "CLIENT_CERTIFICATE_TLS_AUTH" and conf.get("URI"): - return [ + statements.append( { - "PolicyName": "MSKExecutionRolePolicy", - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "secretsmanager:GetSecretValue", - ], - "Effect": "Allow", - "Resource": conf.get("URI"), - } - ] - }, + "Action": [ + "secretsmanager:GetSecretValue", + ], + "Effect": "Allow", + "Resource": conf.get("URI"), } - ] - - return None + ) + if not statements: + return None + return [{"PolicyName": "MSKExecutionRolePolicy", "PolicyDocument": {"Statement": statements}}] class MQ(PullEventSource): @@ -487,7 +607,9 @@ def get_event_source_arn(self) -> Optional[PassThrough]: def get_policy_arn(self) -> Optional[str]: return None - def get_policy_statements(self) -> Optional[List[Dict[str, Any]]]: + def get_policy_statements( + self, intrinsic_resolver: Optional[IntrinsicsResolver] = None + ) -> Optional[List[Dict[str, Any]]]: basic_auth_uri = self._validate_source_access_configurations(["BASIC_AUTH", "VIRTUAL_HOST"], "BASIC_AUTH") document = { @@ -544,7 +666,9 @@ def get_event_source_arn(self) -> Optional[PassThrough]: def get_policy_arn(self) -> Optional[str]: return None - def get_policy_statements(self) -> Optional[List[Dict[str, Any]]]: + def get_policy_statements( + self, intrinsic_resolver: Optional[IntrinsicsResolver] = None + ) -> Optional[List[Dict[str, Any]]]: if not self.KafkaBootstrapServers: raise InvalidEventException( self.relative_id, @@ -568,10 +692,12 @@ def get_policy_statements(self) -> Optional[List[Dict[str, Any]]]: self.relative_id, "No SourceAccessConfigurations for self managed kafka event provided.", ) - document = self.generate_policy_document(self.SourceAccessConfigurations) + document = self.generate_policy_document(self.SourceAccessConfigurations, intrinsic_resolver) return [document] - def generate_policy_document(self, source_access_configurations: List[Any]): # type: ignore[no-untyped-def] + def generate_policy_document( # type: ignore[no-untyped-def] + self, source_access_configurations: List[Any], intrinsic_resolver: Optional[IntrinsicsResolver] = None + ): statements = [] authentication_uri, authentication_uri_2, has_vpc_config = self.get_secret_key(source_access_configurations) if authentication_uri: @@ -591,6 +717,12 @@ def generate_policy_document(self, source_access_configurations: List[Any]): # kms_policy = self._get_kms_decrypt_policy(self.SecretsManagerKmsKeyId) statements.append(kms_policy) + # Add schema registry permissions if configured + if self.SchemaRegistryConfig: + schema_registry_statements = self.get_schema_registry_permissions(intrinsic_resolver) + if schema_registry_statements is not None: + statements.extend(schema_registry_statements) + return { "PolicyDocument": { "Statement": statements, @@ -725,7 +857,7 @@ def get_event_source_arn(self) -> Optional[PassThrough]: def get_policy_arn(self) -> Optional[str]: return None - def get_policy_statements(self) -> List[Dict[str, Any]]: + def get_policy_statements(self, intrinsic_resolver: Optional[IntrinsicsResolver] = None) -> List[Dict[str, Any]]: basic_auth_uri = self._validate_source_access_configurations(["BASIC_AUTH"], "BASIC_AUTH") statements = [ diff --git a/samtranslator/schema/schema.json b/samtranslator/schema/schema.json index d1e3135817..91b2e7f0f2 100644 --- a/samtranslator/schema/schema.json +++ b/samtranslator/schema/schema.json @@ -1498,7 +1498,7 @@ }, "LoggingConfiguration": { "$ref": "#/definitions/AWS::APS::Workspace.LoggingConfiguration", - "markdownDescription": "Contains information about the logging configuration for the workspace.", + "markdownDescription": "Contains information about the current rules and alerting logging configuration for the workspace.\n\n> These logging configurations are only for rules and alerting logs.", "title": "LoggingConfiguration" }, "Tags": { @@ -5973,7 +5973,7 @@ "type": "object" }, "TimeoutInMillis": { - "markdownDescription": "Custom timeout between 50 and 29,000 milliseconds. The default value is 29,000 milliseconds or 29 seconds.", + "markdownDescription": "Custom timeout between 50 and 29,000 milliseconds. The default value is 29,000 milliseconds or 29 seconds. You can increase the default value to longer than 29 seconds for Regional or private APIs only.", "title": "TimeoutInMillis", "type": "number" }, @@ -22823,7 +22823,7 @@ "type": "array" }, "PlacementGroup": { - "markdownDescription": "The name of the placement group into which to launch your instances. For more information, see [Placement groups](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/placement-groups.html) in the *Amazon EC2 User Guide for Linux Instances* .\n\n> A *cluster* placement group is a logical grouping of instances within a single Availability Zone. You cannot specify multiple Availability Zones and a cluster placement group.", + "markdownDescription": "The name of the placement group into which to launch your instances. For more information, see [Placement groups](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/placement-groups.html) in the *Amazon EC2 User Guide* .\n\n> A *cluster* placement group is a logical grouping of instances within a single Availability Zone. You cannot specify multiple Availability Zones and a cluster placement group.", "title": "PlacementGroup", "type": "string" }, @@ -23011,11 +23011,11 @@ }, "BaselineEbsBandwidthMbps": { "$ref": "#/definitions/AWS::AutoScaling::AutoScalingGroup.BaselineEbsBandwidthMbpsRequest", - "markdownDescription": "The minimum and maximum baseline bandwidth performance for an instance type, in Mbps. For more information, see [Amazon EBS\u2013optimized instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-optimized.html) in the *Amazon EC2 User Guide for Linux Instances* .\n\nDefault: No minimum or maximum limits", + "markdownDescription": "The minimum and maximum baseline bandwidth performance for an instance type, in Mbps. For more information, see [Amazon EBS\u2013optimized instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-optimized.html) in the *Amazon EC2 User Guide* .\n\nDefault: No minimum or maximum limits", "title": "BaselineEbsBandwidthMbps" }, "BurstablePerformance": { - "markdownDescription": "Indicates whether burstable performance instance types are included, excluded, or required. For more information, see [Burstable performance instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/burstable-performance-instances.html) in the *Amazon EC2 User Guide for Linux Instances* .\n\nDefault: `excluded`", + "markdownDescription": "Indicates whether burstable performance instance types are included, excluded, or required. For more information, see [Burstable performance instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/burstable-performance-instances.html) in the *Amazon EC2 User Guide* .\n\nDefault: `excluded`", "title": "BurstablePerformance", "type": "string" }, @@ -23023,7 +23023,7 @@ "items": { "type": "string" }, - "markdownDescription": "Lists which specific CPU manufacturers to include.\n\n- For instance types with Intel CPUs, specify `intel` .\n- For instance types with AMD CPUs, specify `amd` .\n- For instance types with AWS CPUs, specify `amazon-web-services` .\n\n> Don't confuse the CPU hardware manufacturer with the CPU hardware architecture. Instances will be launched with a compatible CPU architecture based on the Amazon Machine Image (AMI) that you specify in your launch template. \n\nDefault: Any manufacturer", + "markdownDescription": "Lists which specific CPU manufacturers to include.\n\n- For instance types with Intel CPUs, specify `intel` .\n- For instance types with AMD CPUs, specify `amd` .\n- For instance types with AWS CPUs, specify `amazon-web-services` .\n- For instance types with Apple CPUs, specify `apple` .\n\n> Don't confuse the CPU hardware manufacturer with the CPU hardware architecture. Instances will be launched with a compatible CPU architecture based on the Amazon Machine Image (AMI) that you specify in your launch template. \n\nDefault: Any manufacturer", "title": "CpuManufacturers", "type": "array" }, @@ -23039,12 +23039,12 @@ "items": { "type": "string" }, - "markdownDescription": "Indicates whether current or previous generation instance types are included.\n\n- For current generation instance types, specify `current` . The current generation includes EC2 instance types currently recommended for use. This typically includes the latest two to three generations in each instance family. For more information, see [Instance types](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html) in the *Amazon EC2 User Guide for Linux Instances* .\n- For previous generation instance types, specify `previous` .\n\nDefault: Any current or previous generation", + "markdownDescription": "Indicates whether current or previous generation instance types are included.\n\n- For current generation instance types, specify `current` . The current generation includes EC2 instance types currently recommended for use. This typically includes the latest two to three generations in each instance family. For more information, see [Instance types](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html) in the *Amazon EC2 User Guide* .\n- For previous generation instance types, specify `previous` .\n\nDefault: Any current or previous generation", "title": "InstanceGenerations", "type": "array" }, "LocalStorage": { - "markdownDescription": "Indicates whether instance types with instance store volumes are included, excluded, or required. For more information, see [Amazon EC2 instance store](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/InstanceStorage.html) in the *Amazon EC2 User Guide for Linux Instances* .\n\nDefault: `included`", + "markdownDescription": "Indicates whether instance types with instance store volumes are included, excluded, or required. For more information, see [Amazon EC2 instance store](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/InstanceStorage.html) in the *Amazon EC2 User Guide* .\n\nDefault: `included`", "title": "LocalStorage", "type": "string" }, @@ -23180,7 +23180,7 @@ "title": "InstanceRequirements" }, "InstanceType": { - "markdownDescription": "The instance type, such as `m3.xlarge` . You must specify an instance type that is supported in your requested Region and Availability Zones. For more information, see [Instance types](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html) in the *Amazon EC2 User Guide for Linux Instances* .\n\nYou can specify up to 40 instance types per Auto Scaling group.", + "markdownDescription": "The instance type, such as `m3.xlarge` . You must specify an instance type that is supported in your requested Region and Availability Zones. For more information, see [Instance types](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html) in the *Amazon EC2 User Guide* .\n\nYou can specify up to 40 instance types per Auto Scaling group.", "title": "InstanceType", "type": "string" }, @@ -23498,7 +23498,7 @@ "items": { "$ref": "#/definitions/AWS::AutoScaling::LaunchConfiguration.BlockDeviceMapping" }, - "markdownDescription": "The block device mapping entries that define the block devices to attach to the instances at launch. By default, the block devices specified in the block device mapping for the AMI are used. For more information, see [Block device mappings](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/block-device-mapping-concepts.html) in the *Amazon EC2 User Guide for Linux Instances* .", + "markdownDescription": "The block device mapping entries that define the block devices to attach to the instances at launch. By default, the block devices specified in the block device mapping for the AMI are used. For more information, see [Block device mappings](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/block-device-mapping-concepts.html) in the *Amazon EC2 User Guide* .", "title": "BlockDeviceMappings", "type": "array" }, @@ -23516,7 +23516,7 @@ "type": "array" }, "EbsOptimized": { - "markdownDescription": "Specifies whether the launch configuration is optimized for EBS I/O ( `true` ) or not ( `false` ). The optimization provides dedicated throughput to Amazon EBS and an optimized configuration stack to provide optimal I/O performance. This optimization is not available with all instance types. Additional fees are incurred when you enable EBS optimization for an instance type that is not EBS-optimized by default. For more information, see [Amazon EBS-optimized instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-optimized.html) in the *Amazon EC2 User Guide for Linux Instances* .\n\nThe default value is `false` .", + "markdownDescription": "Specifies whether the launch configuration is optimized for EBS I/O ( `true` ) or not ( `false` ). The optimization provides dedicated throughput to Amazon EBS and an optimized configuration stack to provide optimal I/O performance. This optimization is not available with all instance types. Additional fees are incurred when you enable EBS optimization for an instance type that is not EBS-optimized by default. For more information, see [Amazon EBS-optimized instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-optimized.html) in the *Amazon EC2 User Guide* .\n\nThe default value is `false` .", "title": "EbsOptimized", "type": "boolean" }, @@ -23526,7 +23526,7 @@ "type": "string" }, "ImageId": { - "markdownDescription": "The ID of the Amazon Machine Image (AMI) that was assigned during registration. For more information, see [Find a Linux AMI](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/finding-an-ami.html) in the *Amazon EC2 User Guide for Linux Instances* .\n\nIf you specify `InstanceId` , an `ImageId` is not required.", + "markdownDescription": "The ID of the Amazon Machine Image (AMI) that was assigned during registration. For more information, see [Find a Linux AMI](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/finding-an-ami.html) in the *Amazon EC2 User Guide* .\n\nIf you specify `InstanceId` , an `ImageId` is not required.", "title": "ImageId", "type": "string" }, @@ -23541,17 +23541,17 @@ "type": "boolean" }, "InstanceType": { - "markdownDescription": "Specifies the instance type of the EC2 instance. For information about available instance types, see [Available instance types](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html#AvailableInstanceTypes) in the *Amazon EC2 User Guide for Linux Instances* .\n\nIf you specify `InstanceId` , an `InstanceType` is not required.", + "markdownDescription": "Specifies the instance type of the EC2 instance. For information about available instance types, see [Available instance types](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html#AvailableInstanceTypes) in the *Amazon EC2 User Guide* .\n\nIf you specify `InstanceId` , an `InstanceType` is not required.", "title": "InstanceType", "type": "string" }, "KernelId": { - "markdownDescription": "The ID of the kernel associated with the AMI.\n\n> We recommend that you use PV-GRUB instead of kernels and RAM disks. For more information, see [User provided kernels](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/UserProvidedKernels.html) in the *Amazon EC2 User Guide for Linux Instances* .", + "markdownDescription": "The ID of the kernel associated with the AMI.\n\n> We recommend that you use PV-GRUB instead of kernels and RAM disks. For more information, see [User provided kernels](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/UserProvidedKernels.html) in the *Amazon EC2 User Guide* .", "title": "KernelId", "type": "string" }, "KeyName": { - "markdownDescription": "The name of the key pair. For more information, see [Amazon EC2 key pairs and Amazon EC2 instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html) in the *Amazon EC2 User Guide for Linux Instances* .", + "markdownDescription": "The name of the key pair. For more information, see [Amazon EC2 key pairs and Amazon EC2 instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html) in the *Amazon EC2 User Guide* .", "title": "KeyName", "type": "string" }, @@ -23571,7 +23571,7 @@ "type": "string" }, "RamDiskId": { - "markdownDescription": "The ID of the RAM disk to select.\n\n> We recommend that you use PV-GRUB instead of kernels and RAM disks. For more information, see [User provided kernels](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/UserProvidedKernels.html) in the *Amazon EC2 User Guide for Linux Instances* .", + "markdownDescription": "The ID of the RAM disk to select.\n\n> We recommend that you use PV-GRUB instead of kernels and RAM disks. For more information, see [User provided kernels](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/UserProvidedKernels.html) in the *Amazon EC2 User Guide* .", "title": "RamDiskId", "type": "string" }, @@ -23666,7 +23666,7 @@ "additionalProperties": false, "properties": { "DeviceName": { - "markdownDescription": "The device name assigned to the volume (for example, `/dev/sdh` or `xvdh` ). For more information, see [Device naming on Linux instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/device_naming.html) in the *Amazon EC2 User Guide for Linux Instances* .\n\n> To define a block device mapping, set the device name and exactly one of the following properties: `Ebs` , `NoDevice` , or `VirtualName` .", + "markdownDescription": "The device name assigned to the volume (for example, `/dev/sdh` or `xvdh` ). For more information, see [Device naming on Linux instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/device_naming.html) in the *Amazon EC2 User Guide* .\n\n> To define a block device mapping, set the device name and exactly one of the following properties: `Ebs` , `NoDevice` , or `VirtualName` .", "title": "DeviceName", "type": "string" }, @@ -25904,12 +25904,12 @@ "additionalProperties": false, "properties": { "DeleteAfterDays": { - "markdownDescription": "Specifies the number of days after creation that a recovery point is deleted. Must be greater than `MoveToColdStorageAfterDays` .", + "markdownDescription": "The number of days after creation that a recovery point is deleted. This value must be at least 90 days after the number of days specified in `MoveToColdStorageAfterDays` .", "title": "DeleteAfterDays", "type": "number" }, "MoveToColdStorageAfterDays": { - "markdownDescription": "Specifies the number of days after creation that a recovery point is moved to cold storage.", + "markdownDescription": "The number of days after creation that a recovery point is moved to cold storage.", "title": "MoveToColdStorageAfterDays", "type": "number" }, @@ -35288,7 +35288,7 @@ }, "AutoDeployment": { "$ref": "#/definitions/AWS::CloudFormation::StackSet.AutoDeployment", - "markdownDescription": "Describes whether StackSets automatically deploys to AWS Organizations accounts that are added to a target organization or organizational unit (OU). For more information, see [Manage automatic deployments for CloudFormation StackSets that use service-managed permissions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-manage-auto-deployment.html) in the *AWS CloudFormation User Guide* .\n\nRequired if the permissions model is `SERVICE_MANAGED` . (Not used with self-managed permissions.)", + "markdownDescription": "Describes whether StackSets automatically deploys to AWS Organizations accounts that are added to a target organization or organizational unit (OU). For more information, see [Enable or disable automatic deployments for StackSets in AWS Organizations](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-manage-auto-deployment.html) in the *AWS CloudFormation User Guide* .\n\nRequired if the permissions model is `SERVICE_MANAGED` . (Not used with self-managed permissions.)", "title": "AutoDeployment" }, "CallAs": { @@ -38231,7 +38231,7 @@ "properties": { "KinesisStreamConfig": { "$ref": "#/definitions/AWS::CloudFront::RealtimeLogConfig.KinesisStreamConfig", - "markdownDescription": "Contains information about the Amazon Kinesis data stream where you are sending real-time log data.", + "markdownDescription": "Contains information about the Amazon Kinesis data stream where you are sending real-time log data in a real-time log configuration.", "title": "KinesisStreamConfig" }, "StreamType": { @@ -39454,7 +39454,7 @@ "type": "boolean" }, "KMSKeyId": { - "markdownDescription": "Specifies the AWS KMS key ID to use to encrypt the logs delivered by CloudTrail. The value can be an alias name prefixed by \"alias/\", a fully specified ARN to an alias, a fully specified ARN to a key, or a globally unique identifier.\n\nCloudTrail also supports AWS KMS multi-Region keys. For more information about multi-Region keys, see [Using multi-Region keys](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) in the *AWS Key Management Service Developer Guide* .\n\nExamples:\n\n- alias/MyAliasName\n- arn:aws:kms:us-east-2:123456789012:alias/MyAliasName\n- arn:aws:kms:us-east-2:123456789012:key/12345678-1234-1234-1234-123456789012\n- 12345678-1234-1234-1234-123456789012", + "markdownDescription": "Specifies the AWS KMS key ID to use to encrypt the logs and digest files delivered by CloudTrail. The value can be an alias name prefixed by \"alias/\", a fully specified ARN to an alias, a fully specified ARN to a key, or a globally unique identifier.\n\nCloudTrail also supports AWS KMS multi-Region keys. For more information about multi-Region keys, see [Using multi-Region keys](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) in the *AWS Key Management Service Developer Guide* .\n\nExamples:\n\n- alias/MyAliasName\n- arn:aws:kms:us-east-2:123456789012:alias/MyAliasName\n- arn:aws:kms:us-east-2:123456789012:key/12345678-1234-1234-1234-123456789012\n- 12345678-1234-1234-1234-123456789012", "title": "KMSKeyId", "type": "string" }, @@ -55541,7 +55541,7 @@ "additionalProperties": false, "properties": { "CronExpression": { - "markdownDescription": "The schedule, as a Cron expression. The schedule interval must be between 1 hour and 1 year. For more information, see the [Cron expressions reference](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-cron-expressions.html) in the *Amazon EventBridge User Guide* .", + "markdownDescription": "The schedule, as a Cron expression. The schedule interval must be between 1 hour and 1 year. For more information, see the [Cron and rate expressions](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-scheduled-rule-pattern.html) in the *Amazon EventBridge User Guide* .", "title": "CronExpression", "type": "string" }, @@ -61537,7 +61537,7 @@ "items": { "type": "string" }, - "markdownDescription": "Specifies the Amazon Resource Name (ARN) of the DataSync agent that can connect with your Azure Blob Storage container.\n\nYou can specify more than one agent. For more information, see [Using multiple agents for your transfer](https://docs.aws.amazon.com/datasync/latest/userguide/multiple-agents.html) .", + "markdownDescription": "(Optional) Specifies the Amazon Resource Name (ARN) of the DataSync agent that can connect with your Azure Blob Storage container. If you are setting up an agentless cross-cloud transfer, you do not need to specify a value for this parameter.\n\nYou can specify more than one agent. For more information, see [Using multiple agents for your transfer](https://docs.aws.amazon.com/datasync/latest/userguide/multiple-agents.html) .\n\n> Make sure you configure this parameter correctly when you first create your storage location. You cannot add or remove agents from a storage location after you create it.", "title": "AgentArns", "type": "array" }, @@ -61558,7 +61558,7 @@ }, "AzureBlobSasConfiguration": { "$ref": "#/definitions/AWS::DataSync::LocationAzureBlob.AzureBlobSasConfiguration", - "markdownDescription": "Specifies the SAS configuration that allows DataSync to access your Azure Blob Storage.", + "markdownDescription": "Specifies the SAS configuration that allows DataSync to access your Azure Blob Storage.\n\n> If you provide an authentication token using `SasConfiguration` , but do not provide secret configuration details using `CmkSecretConfig` or `CustomSecretConfig` , then DataSync stores the token using your AWS account's secrets manager secret.", "title": "AzureBlobSasConfiguration" }, "AzureBlobType": { @@ -62579,7 +62579,7 @@ "items": { "type": "string" }, - "markdownDescription": "Specifies the Amazon Resource Names (ARNs) of the DataSync agents that can connect with your object storage system.", + "markdownDescription": "(Optional) Specifies the Amazon Resource Names (ARNs) of the DataSync agents that can connect with your object storage system. If you are setting up an agentless cross-cloud transfer, you do not need to specify a value for this parameter.\n\n> Make sure you configure this parameter correctly when you first create your storage location. You cannot add or remove agents from a storage location after you create it.", "title": "AgentArns", "type": "array" }, @@ -62589,7 +62589,7 @@ "type": "string" }, "SecretKey": { - "markdownDescription": "Specifies the secret key (for example, a password) if credentials are required to authenticate with the object storage server.", + "markdownDescription": "Specifies the secret key (for example, a password) if credentials are required to authenticate with the object storage server.\n\n> If you provide a secret using `SecretKey` , but do not provide secret configuration details using `CmkSecretConfig` or `CustomSecretConfig` , then DataSync stores the token using your AWS account's Secrets Manager secret.", "title": "SecretKey", "type": "string" }, @@ -62609,7 +62609,7 @@ "type": "number" }, "ServerProtocol": { - "markdownDescription": "Specifies the protocol that your object storage server uses to communicate.", + "markdownDescription": "Specifies the protocol that your object storage server uses to communicate. If not specified, the default value is `HTTPS` .", "title": "ServerProtocol", "type": "string" }, @@ -62916,41 +62916,27 @@ "items": { "type": "string" }, - "markdownDescription": "Specifies the Amazon Resource Name (ARN) of the DataSync agent that connects to and reads from your on-premises storage system's management interface. You can only specify one ARN.", - "title": "AgentArns", "type": "array" }, "CloudWatchLogGroupArn": { - "markdownDescription": "Specifies the ARN of the Amazon CloudWatch log group for monitoring and logging discovery job events.", - "title": "CloudWatchLogGroupArn", "type": "string" }, "Name": { - "markdownDescription": "Specifies a familiar name for your on-premises storage system.", - "title": "Name", "type": "string" }, "ServerConfiguration": { - "$ref": "#/definitions/AWS::DataSync::StorageSystem.ServerConfiguration", - "markdownDescription": "Specifies the server name and network port required to connect with the management interface of your on-premises storage system.", - "title": "ServerConfiguration" + "$ref": "#/definitions/AWS::DataSync::StorageSystem.ServerConfiguration" }, "ServerCredentials": { - "$ref": "#/definitions/AWS::DataSync::StorageSystem.ServerCredentials", - "markdownDescription": "Specifies the user name and password for accessing your on-premises storage system's management interface.", - "title": "ServerCredentials" + "$ref": "#/definitions/AWS::DataSync::StorageSystem.ServerCredentials" }, "SystemType": { - "markdownDescription": "Specifies the type of on-premises storage system that you want DataSync Discovery to collect information about.\n\n> DataSync Discovery currently supports NetApp Fabric-Attached Storage (FAS) and All Flash FAS (AFF) systems running ONTAP 9.7 or later.", - "title": "SystemType", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "Specifies labels that help you categorize, filter, and search for your AWS resources. We recommend creating at least a name tag for your on-premises storage system.", - "title": "Tags", "type": "array" } }, @@ -62986,13 +62972,9 @@ "additionalProperties": false, "properties": { "ServerHostname": { - "markdownDescription": "The domain name or IP address of your storage system's management interface.", - "title": "ServerHostname", "type": "string" }, "ServerPort": { - "markdownDescription": "The network port for accessing the storage system's management interface.", - "title": "ServerPort", "type": "number" } }, @@ -63005,13 +62987,9 @@ "additionalProperties": false, "properties": { "Password": { - "markdownDescription": "Specifies the password for your storage system's management interface.", - "title": "Password", "type": "string" }, "Username": { - "markdownDescription": "Specifies the user name for your storage system's management interface.", - "title": "Username", "type": "string" } }, @@ -63117,7 +63095,7 @@ }, "TaskReportConfig": { "$ref": "#/definitions/AWS::DataSync::Task.TaskReportConfig", - "markdownDescription": "Specifies how you want to configure a task report, which provides detailed information about your DataSync transfer. For more information, see [Monitoring your DataSync transfers with task reports](https://docs.aws.amazon.com/datasync/latest/userguide/task-reports.html) .\n\nWhen using this parameter, your caller identity (the role that you're using DataSync with) must have the `iam:PassRole` permission. The [AWSDataSyncFullAccess](https://docs.aws.amazon.com/datasync/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-awsdatasyncfullaccess) policy includes this permission.", + "markdownDescription": "The configuration of your task report, which provides detailed information about your DataSync transfer. For more information, see [Monitoring your DataSync transfers with task reports](https://docs.aws.amazon.com/datasync/latest/userguide/task-reports.html) .", "title": "TaskReportConfig" } }, @@ -63152,7 +63130,7 @@ "additionalProperties": false, "properties": { "ReportLevel": { - "markdownDescription": "Specifies whether you want your task report to include only what went wrong with your transfer or a list of what succeeded and didn't.\n\n- `ERRORS_ONLY` : A report shows what DataSync was unable to delete.\n- `SUCCESSES_AND_ERRORS` : A report shows what DataSync was able and unable to delete.", + "markdownDescription": "", "title": "ReportLevel", "type": "string" } @@ -63164,7 +63142,7 @@ "properties": { "S3": { "$ref": "#/definitions/AWS::DataSync::Task.TaskReportConfigDestinationS3", - "markdownDescription": "Specifies the Amazon S3 bucket where DataSync uploads your task report.", + "markdownDescription": "", "title": "S3" } }, @@ -63214,22 +63192,22 @@ "additionalProperties": false, "properties": { "BucketAccessRoleArn": { - "markdownDescription": "Specifies the AWS Identity and Access Management (IAM) role that allows DataSync to access your manifest. For more information, see [Providing DataSync access to your manifest](https://docs.aws.amazon.com/datasync/latest/userguide/transferring-with-manifest.html#transferring-with-manifest-access) .", + "markdownDescription": "", "title": "BucketAccessRoleArn", "type": "string" }, "ManifestObjectPath": { - "markdownDescription": "Specifies the Amazon S3 object key of your manifest. This can include a prefix (for example, `prefix/my-manifest.csv` ).", + "markdownDescription": "", "title": "ManifestObjectPath", "type": "string" }, "ManifestObjectVersionId": { - "markdownDescription": "Specifies the object version ID of the manifest that you want DataSync to use. If you don't set this, DataSync uses the latest version of the object.", + "markdownDescription": "", "title": "ManifestObjectVersionId", "type": "string" }, "S3BucketArn": { - "markdownDescription": "Specifies the Amazon Resource Name (ARN) of the S3 bucket where you're hosting your manifest.", + "markdownDescription": "", "title": "S3BucketArn", "type": "string" } @@ -63322,22 +63300,22 @@ "properties": { "Deleted": { "$ref": "#/definitions/AWS::DataSync::Task.Deleted", - "markdownDescription": "Specifies the level of reporting for the files, objects, and directories that DataSync attempted to delete in your destination location. This only applies if you [configure your task](https://docs.aws.amazon.com/datasync/latest/userguide/configure-metadata.html) to delete data in the destination that isn't in the source.", + "markdownDescription": "", "title": "Deleted" }, "Skipped": { "$ref": "#/definitions/AWS::DataSync::Task.Skipped", - "markdownDescription": "Specifies the level of reporting for the files, objects, and directories that DataSync attempted to skip during your transfer.", + "markdownDescription": "", "title": "Skipped" }, "Transferred": { "$ref": "#/definitions/AWS::DataSync::Task.Transferred", - "markdownDescription": "Specifies the level of reporting for the files, objects, and directories that DataSync attempted to transfer.", + "markdownDescription": "", "title": "Transferred" }, "Verified": { "$ref": "#/definitions/AWS::DataSync::Task.Verified", - "markdownDescription": "Specifies the level of reporting for the files, objects, and directories that DataSync attempted to verify during your transfer.", + "markdownDescription": "", "title": "Verified" } }, @@ -63347,7 +63325,7 @@ "additionalProperties": false, "properties": { "ReportLevel": { - "markdownDescription": "Specifies whether you want your task report to include only what went wrong with your transfer or a list of what succeeded and didn't.\n\n- `ERRORS_ONLY` : A report shows what DataSync was unable to skip.\n- `SUCCESSES_AND_ERRORS` : A report shows what DataSync was able and unable to skip.", + "markdownDescription": "", "title": "ReportLevel", "type": "string" } @@ -63359,7 +63337,7 @@ "properties": { "S3": { "$ref": "#/definitions/AWS::DataSync::Task.ManifestConfigSourceS3", - "markdownDescription": "Specifies the S3 bucket where you're hosting your manifest.", + "markdownDescription": "", "title": "S3" } }, @@ -63404,17 +63382,17 @@ "additionalProperties": false, "properties": { "BucketAccessRoleArn": { - "markdownDescription": "Specifies the Amazon Resource Name (ARN) of the IAM policy that allows DataSync to upload a task report to your S3 bucket. For more information, see [Allowing DataSync to upload a task report to an Amazon S3 bucket](https://docs.aws.amazon.com/datasync/latest/userguide/task-reports.html) .", + "markdownDescription": "", "title": "BucketAccessRoleArn", "type": "string" }, "S3BucketArn": { - "markdownDescription": "Specifies the ARN of the S3 bucket where DataSync uploads your report.", + "markdownDescription": "", "title": "S3BucketArn", "type": "string" }, "Subdirectory": { - "markdownDescription": "Specifies a bucket prefix for your report.", + "markdownDescription": "", "title": "Subdirectory", "type": "string" } @@ -63430,7 +63408,7 @@ "type": "string" }, "Status": { - "markdownDescription": "Specifies whether to enable or disable your task schedule. Your schedule is enabled by default, but there can be situations where you need to disable it. For example, you might need to perform maintenance on a storage system before you can begin a recurring DataSync transfer.\n\nDataSync might disable your schedule automatically if your task fails repeatedly with the same error. For more information, see the [*DataSync User Guide*](https://docs.aws.amazon.com/datasync/latest/userguide/task-scheduling.html#pause-task-schedule) .", + "markdownDescription": "Specifies whether to enable or disable your task schedule. Your schedule is enabled by default, but there can be situations where you need to disable it. For example, you might need to pause a recurring transfer to fix an issue with your task or perform maintenance on your storage system.\n\nDataSync might disable your schedule automatically if your task fails repeatedly with the same error. For more information, see [TaskScheduleDetails](https://docs.aws.amazon.com/datasync/latest/userguide/API_TaskScheduleDetails.html) .", "title": "Status", "type": "string" } @@ -63441,7 +63419,7 @@ "additionalProperties": false, "properties": { "ReportLevel": { - "markdownDescription": "Specifies whether you want your task report to include only what went wrong with your transfer or a list of what succeeded and didn't.\n\n- `ERRORS_ONLY` : A report shows what DataSync was unable to transfer.\n- `SUCCESSES_AND_ERRORS` : A report shows what DataSync was able and unable to transfer.", + "markdownDescription": "", "title": "ReportLevel", "type": "string" } @@ -63452,7 +63430,7 @@ "additionalProperties": false, "properties": { "ReportLevel": { - "markdownDescription": "Specifies whether you want your task report to include only what went wrong with your transfer or a list of what succeeded and didn't.\n\n- `ERRORS_ONLY` : A report shows what DataSync was unable to verify.\n- `SUCCESSES_AND_ERRORS` : A report shows what DataSync was able and unable to verify.", + "markdownDescription": "", "title": "ReportLevel", "type": "string" } @@ -66582,7 +66560,7 @@ "type": "array" }, "EngineVersion": { - "markdownDescription": "The version number of the database engine to use. The `--engine-version` will default to the latest major engine version. For production workloads, we recommend explicitly declaring this parameter with the intended major engine version.\n\nChanging the `EngineVersion` will start an in-place engine version upgrade. Note that in-place engine version upgrade will cause downtime in the cluster. See [Amazon DocumentDB in-place major version upgrade](https://docs.aws.amazon.com/documentdb/latest/developerguide/docdb-mvu.html) before starting an in-place engine version upgrade.", + "markdownDescription": "The version number of the database engine to use. The `--engine-version` will default to the latest major engine version. For production workloads, we recommend explicitly declaring this parameter with the intended major engine version.\n\nIf you intend to trigger an in-place upgrade, please refer to [Amazon DocumentDB in-place major version upgrade](https://docs.aws.amazon.com/documentdb/latest/developerguide/docdb-mvu.html) . Note that for an in-place engine version upgrade, you need to remove other cluster properties changes (e.g. SecurityGroupId) from the CFN template.", "title": "EngineVersion", "type": "string" }, @@ -68065,7 +68043,7 @@ }, "ProvisionedThroughput": { "$ref": "#/definitions/AWS::DynamoDB::Table.ProvisionedThroughput", - "markdownDescription": "Represents the provisioned throughput settings for the specified global secondary index.\n\nFor current minimum and maximum provisioned throughput values, see [Service, Account, and Table Quotas](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Limits.html) in the *Amazon DynamoDB Developer Guide* .", + "markdownDescription": "Represents the provisioned throughput settings for the specified global secondary index. You must use either `OnDemandThroughput` or `ProvisionedThroughput` based on your table's capacity mode.\n\nFor current minimum and maximum provisioned throughput values, see [Service, Account, and Table Quotas](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Limits.html) in the *Amazon DynamoDB Developer Guide* .", "title": "ProvisionedThroughput" } }, @@ -69821,7 +69799,7 @@ "items": { "type": "string" }, - "markdownDescription": "The accelerator types that must be on the instance type.\n\n- For instance types with FPGA accelerators, specify `fpga` .\n- For instance types with GPU accelerators, specify `gpu` .\n\nDefault: Any accelerator type", + "markdownDescription": "The accelerator types that must be on the instance type.\n\n- For instance types with FPGA accelerators, specify `fpga` .\n- For instance types with GPU accelerators, specify `gpu` .\n- For instance types with Inference accelerators, specify `inference` .\n\nDefault: Any accelerator type", "title": "AcceleratorTypes", "type": "array" }, @@ -72922,7 +72900,7 @@ "items": { "type": "string" }, - "markdownDescription": "The accelerator types that must be on the instance type.\n\n- For instance types with FPGA accelerators, specify `fpga` .\n- For instance types with GPU accelerators, specify `gpu` .\n\nDefault: Any accelerator type", + "markdownDescription": "The accelerator types that must be on the instance type.\n\n- For instance types with FPGA accelerators, specify `fpga` .\n- For instance types with GPU accelerators, specify `gpu` .\n- For instance types with Inference accelerators, specify `inference` .\n\nDefault: Any accelerator type", "title": "AcceleratorTypes", "type": "array" }, @@ -77442,7 +77420,7 @@ "items": { "type": "string" }, - "markdownDescription": "The accelerator types that must be on the instance type.\n\n- For instance types with FPGA accelerators, specify `fpga` .\n- For instance types with GPU accelerators, specify `gpu` .\n\nDefault: Any accelerator type", + "markdownDescription": "The accelerator types that must be on the instance type.\n\n- For instance types with FPGA accelerators, specify `fpga` .\n- For instance types with GPU accelerators, specify `gpu` .\n- For instance types with Inference accelerators, specify `inference` .\n\nDefault: Any accelerator type", "title": "AcceleratorTypes", "type": "array" }, @@ -78970,12 +78948,12 @@ "type": "string" }, "DefaultRouteTableAssociation": { - "markdownDescription": "Enable or disable automatic association with the default association route table. Enabled by default.", + "markdownDescription": "Enable or disable automatic association with the default association route table. Enabled by default. If `DefaultRouteTableAssociation` is set to enable, AWS Transit Gateway will create the default transit gateway route table.", "title": "DefaultRouteTableAssociation", "type": "string" }, "DefaultRouteTablePropagation": { - "markdownDescription": "Enable or disable automatic propagation of routes to the default propagation route table. Enabled by default.", + "markdownDescription": "Enable or disable automatic propagation of routes to the default propagation route table. Enabled by default. If `DefaultRouteTablePropagation` is set to enable, AWS Transit Gateway will create the default transit gateway route table.", "title": "DefaultRouteTablePropagation", "type": "string" }, @@ -79635,12 +79613,12 @@ "type": "string" }, "PeerRegion": { - "markdownDescription": "The Region of the transit gateway.", + "markdownDescription": "The Region where the transit gateway that you want to create the peer for is located.", "title": "PeerRegion", "type": "string" }, "PeerTransitGatewayId": { - "markdownDescription": "The ID of the transit gateway.", + "markdownDescription": "The ID of the transit gateway in the PeerRegion.", "title": "PeerTransitGatewayId", "type": "string" }, @@ -83844,7 +83822,7 @@ }, "Options": { "additionalProperties": true, - "markdownDescription": "The configuration options to send to the log driver.\n\nThe options you can specify depend on the log driver. Some of the options you can specify when you use the `awslogs` log driver to route logs to Amazon CloudWatch include the following:\n\n- **awslogs-create-group** - Required: No\n\nSpecify whether you want the log group to be created automatically. If this option isn't specified, it defaults to `false` .\n\n> Your IAM policy must include the `logs:CreateLogGroup` permission before you attempt to use `awslogs-create-group` .\n- **awslogs-region** - Required: Yes\n\nSpecify the AWS Region that the `awslogs` log driver is to send your Docker logs to. You can choose to send all of your logs from clusters in different Regions to a single region in CloudWatch Logs. This is so that they're all visible in one location. Otherwise, you can separate them by Region for more granularity. Make sure that the specified log group exists in the Region that you specify with this option.\n- **awslogs-group** - Required: Yes\n\nMake sure to specify a log group that the `awslogs` log driver sends its log streams to.\n- **awslogs-stream-prefix** - Required: Yes, when using Fargate.Optional when using EC2.\n\nUse the `awslogs-stream-prefix` option to associate a log stream with the specified prefix, the container name, and the ID of the Amazon ECS task that the container belongs to. If you specify a prefix with this option, then the log stream takes the format `prefix-name/container-name/ecs-task-id` .\n\nIf you don't specify a prefix with this option, then the log stream is named after the container ID that's assigned by the Docker daemon on the container instance. Because it's difficult to trace logs back to the container that sent them with just the Docker container ID (which is only available on the container instance), we recommend that you specify a prefix with this option.\n\nFor Amazon ECS services, you can use the service name as the prefix. Doing so, you can trace log streams to the service that the container belongs to, the name of the container that sent them, and the ID of the task that the container belongs to.\n\nYou must specify a stream-prefix for your logs to have your logs appear in the Log pane when using the Amazon ECS console.\n- **awslogs-datetime-format** - Required: No\n\nThis option defines a multiline start pattern in Python `strftime` format. A log message consists of a line that matches the pattern and any following lines that don\u2019t match the pattern. The matched line is the delimiter between log messages.\n\nOne example of a use case for using this format is for parsing output such as a stack dump, which might otherwise be logged in multiple entries. The correct pattern allows it to be captured in a single entry.\n\nFor more information, see [awslogs-datetime-format](https://docs.aws.amazon.com/https://docs.docker.com/config/containers/logging/awslogs/#awslogs-datetime-format) .\n\nYou cannot configure both the `awslogs-datetime-format` and `awslogs-multiline-pattern` options.\n\n> Multiline logging performs regular expression parsing and matching of all log messages. This might have a negative impact on logging performance.\n- **awslogs-multiline-pattern** - Required: No\n\nThis option defines a multiline start pattern that uses a regular expression. A log message consists of a line that matches the pattern and any following lines that don\u2019t match the pattern. The matched line is the delimiter between log messages.\n\nFor more information, see [awslogs-multiline-pattern](https://docs.aws.amazon.com/https://docs.docker.com/config/containers/logging/awslogs/#awslogs-multiline-pattern) .\n\nThis option is ignored if `awslogs-datetime-format` is also configured.\n\nYou cannot configure both the `awslogs-datetime-format` and `awslogs-multiline-pattern` options.\n\n> Multiline logging performs regular expression parsing and matching of all log messages. This might have a negative impact on logging performance.\n\nThe following options apply to all supported log drivers.\n\n- **mode** - Required: No\n\nValid values: `non-blocking` | `blocking`\n\nThis option defines the delivery mode of log messages from the container to the log driver specified using `logDriver` . The delivery mode you choose affects application availability when the flow of logs from container is interrupted.\n\nIf you use the `blocking` mode and the flow of logs is interrupted, calls from container code to write to the `stdout` and `stderr` streams will block. The logging thread of the application will block as a result. This may cause the application to become unresponsive and lead to container healthcheck failure.\n\nIf you use the `non-blocking` mode, the container's logs are instead stored in an in-memory intermediate buffer configured with the `max-buffer-size` option. This prevents the application from becoming unresponsive when logs cannot be sent. We recommend using this mode if you want to ensure service availability and are okay with some log loss. For more information, see [Preventing log loss with non-blocking mode in the `awslogs` container log driver](https://docs.aws.amazon.com/containers/preventing-log-loss-with-non-blocking-mode-in-the-awslogs-container-log-driver/) .\n\nYou can set a default `mode` for all containers in a specific AWS Region by using the `defaultLogDriverMode` account setting. If you don't specify the `mode` option or configure the account setting, Amazon ECS will default to the `blocking` mode. For more information about the account setting, see [Default log driver mode](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-account-settings.html#default-log-driver-mode) in the *Amazon Elastic Container Service Developer Guide* .\n- **max-buffer-size** - Required: No\n\nDefault value: `1m`\n\nWhen `non-blocking` mode is used, the `max-buffer-size` log option controls the size of the buffer that's used for intermediate message storage. Make sure to specify an adequate buffer size based on your application. When the buffer fills up, further logs cannot be stored. Logs that cannot be stored are lost.\n\nTo route logs using the `splunk` log router, you need to specify a `splunk-token` and a `splunk-url` .\n\nWhen you use the `awsfirelens` log router to route logs to an AWS Service or AWS Partner Network destination for log storage and analytics, you can set the `log-driver-buffer-limit` option to limit the number of events that are buffered in memory, before being sent to the log router container. It can help to resolve potential log loss issue because high throughput might result in memory running out for the buffer inside of Docker.\n\nOther options you can specify when using `awsfirelens` to route logs depend on the destination. When you export logs to Amazon Data Firehose, you can specify the AWS Region with `region` and a name for the log stream with `delivery_stream` .\n\nWhen you export logs to Amazon Kinesis Data Streams, you can specify an AWS Region with `region` and a data stream name with `stream` .\n\nWhen you export logs to Amazon OpenSearch Service, you can specify options like `Name` , `Host` (OpenSearch Service endpoint without protocol), `Port` , `Index` , `Type` , `Aws_auth` , `Aws_region` , `Suppress_Type_Name` , and `tls` . For more information, see [Under the hood: FireLens for Amazon ECS Tasks](https://docs.aws.amazon.com/containers/under-the-hood-firelens-for-amazon-ecs-tasks/) .\n\nWhen you export logs to Amazon S3, you can specify the bucket using the `bucket` option. You can also specify `region` , `total_file_size` , `upload_timeout` , and `use_put_object` as options.\n\nThis parameter requires version 1.19 of the Docker Remote API or greater on your container instance. To check the Docker Remote API version on your container instance, log in to your container instance and run the following command: `sudo docker version --format '{{.Server.APIVersion}}'`", + "markdownDescription": "The configuration options to send to the log driver.\n\nThe options you can specify depend on the log driver. Some of the options you can specify when you use the `awslogs` log driver to route logs to Amazon CloudWatch include the following:\n\n- **awslogs-create-group** - Required: No\n\nSpecify whether you want the log group to be created automatically. If this option isn't specified, it defaults to `false` .\n\n> Your IAM policy must include the `logs:CreateLogGroup` permission before you attempt to use `awslogs-create-group` .\n- **awslogs-region** - Required: Yes\n\nSpecify the AWS Region that the `awslogs` log driver is to send your Docker logs to. You can choose to send all of your logs from clusters in different Regions to a single region in CloudWatch Logs. This is so that they're all visible in one location. Otherwise, you can separate them by Region for more granularity. Make sure that the specified log group exists in the Region that you specify with this option.\n- **awslogs-group** - Required: Yes\n\nMake sure to specify a log group that the `awslogs` log driver sends its log streams to.\n- **awslogs-stream-prefix** - Required: Yes, when using Fargate.Optional when using EC2.\n\nUse the `awslogs-stream-prefix` option to associate a log stream with the specified prefix, the container name, and the ID of the Amazon ECS task that the container belongs to. If you specify a prefix with this option, then the log stream takes the format `prefix-name/container-name/ecs-task-id` .\n\nIf you don't specify a prefix with this option, then the log stream is named after the container ID that's assigned by the Docker daemon on the container instance. Because it's difficult to trace logs back to the container that sent them with just the Docker container ID (which is only available on the container instance), we recommend that you specify a prefix with this option.\n\nFor Amazon ECS services, you can use the service name as the prefix. Doing so, you can trace log streams to the service that the container belongs to, the name of the container that sent them, and the ID of the task that the container belongs to.\n\nYou must specify a stream-prefix for your logs to have your logs appear in the Log pane when using the Amazon ECS console.\n- **awslogs-datetime-format** - Required: No\n\nThis option defines a multiline start pattern in Python `strftime` format. A log message consists of a line that matches the pattern and any following lines that don\u2019t match the pattern. The matched line is the delimiter between log messages.\n\nOne example of a use case for using this format is for parsing output such as a stack dump, which might otherwise be logged in multiple entries. The correct pattern allows it to be captured in a single entry.\n\nFor more information, see [awslogs-datetime-format](https://docs.aws.amazon.com/https://docs.docker.com/config/containers/logging/awslogs/#awslogs-datetime-format) .\n\nYou cannot configure both the `awslogs-datetime-format` and `awslogs-multiline-pattern` options.\n\n> Multiline logging performs regular expression parsing and matching of all log messages. This might have a negative impact on logging performance.\n- **awslogs-multiline-pattern** - Required: No\n\nThis option defines a multiline start pattern that uses a regular expression. A log message consists of a line that matches the pattern and any following lines that don\u2019t match the pattern. The matched line is the delimiter between log messages.\n\nFor more information, see [awslogs-multiline-pattern](https://docs.aws.amazon.com/https://docs.docker.com/config/containers/logging/awslogs/#awslogs-multiline-pattern) .\n\nThis option is ignored if `awslogs-datetime-format` is also configured.\n\nYou cannot configure both the `awslogs-datetime-format` and `awslogs-multiline-pattern` options.\n\n> Multiline logging performs regular expression parsing and matching of all log messages. This might have a negative impact on logging performance.\n\nThe following options apply to all supported log drivers.\n\n- **mode** - Required: No\n\nValid values: `non-blocking` | `blocking`\n\nThis option defines the delivery mode of log messages from the container to the log driver specified using `logDriver` . The delivery mode you choose affects application availability when the flow of logs from container is interrupted.\n\nIf you use the `blocking` mode and the flow of logs is interrupted, calls from container code to write to the `stdout` and `stderr` streams will block. The logging thread of the application will block as a result. This may cause the application to become unresponsive and lead to container healthcheck failure.\n\nIf you use the `non-blocking` mode, the container's logs are instead stored in an in-memory intermediate buffer configured with the `max-buffer-size` option. This prevents the application from becoming unresponsive when logs cannot be sent. We recommend using this mode if you want to ensure service availability and are okay with some log loss. For more information, see [Preventing log loss with non-blocking mode in the `awslogs` container log driver](https://docs.aws.amazon.com/containers/preventing-log-loss-with-non-blocking-mode-in-the-awslogs-container-log-driver/) .\n\nYou can set a default `mode` for all containers in a specific AWS Region by using the `defaultLogDriverMode` account setting. If you don't specify the `mode` option or configure the account setting, Amazon ECS will default to the `blocking` mode. For more information about the account setting, see [Default log driver mode](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-account-settings.html#default-log-driver-mode) in the *Amazon Elastic Container Service Developer Guide* .\n\n> On June 25, 2025, Amazon ECS is changing the default log driver mode from `blocking` to `non-blocking` to prioritize task availability over logging. To continue using the `blocking` mode after this change, do one of the following:\n> \n> - Set the `mode` option in your container definition's `logConfiguration` as `blocking` .\n> - Set the `defaultLogDriverMode` account setting to `blocking` .\n- **max-buffer-size** - Required: No\n\nDefault value: `1m`\n\nWhen `non-blocking` mode is used, the `max-buffer-size` log option controls the size of the buffer that's used for intermediate message storage. Make sure to specify an adequate buffer size based on your application. When the buffer fills up, further logs cannot be stored. Logs that cannot be stored are lost.\n\nTo route logs using the `splunk` log router, you need to specify a `splunk-token` and a `splunk-url` .\n\nWhen you use the `awsfirelens` log router to route logs to an AWS Service or AWS Partner Network destination for log storage and analytics, you can set the `log-driver-buffer-limit` option to limit the number of events that are buffered in memory, before being sent to the log router container. It can help to resolve potential log loss issue because high throughput might result in memory running out for the buffer inside of Docker.\n\nOther options you can specify when using `awsfirelens` to route logs depend on the destination. When you export logs to Amazon Data Firehose, you can specify the AWS Region with `region` and a name for the log stream with `delivery_stream` .\n\nWhen you export logs to Amazon Kinesis Data Streams, you can specify an AWS Region with `region` and a data stream name with `stream` .\n\nWhen you export logs to Amazon OpenSearch Service, you can specify options like `Name` , `Host` (OpenSearch Service endpoint without protocol), `Port` , `Index` , `Type` , `Aws_auth` , `Aws_region` , `Suppress_Type_Name` , and `tls` . For more information, see [Under the hood: FireLens for Amazon ECS Tasks](https://docs.aws.amazon.com/containers/under-the-hood-firelens-for-amazon-ecs-tasks/) .\n\nWhen you export logs to Amazon S3, you can specify the bucket using the `bucket` option. You can also specify `region` , `total_file_size` , `upload_timeout` , and `use_put_object` as options.\n\nThis parameter requires version 1.19 of the Docker Remote API or greater on your container instance. To check the Docker Remote API version on your container instance, log in to your container instance and run the following command: `sudo docker version --format '{{.Server.APIVersion}}'`", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" @@ -84065,12 +84043,12 @@ "additionalProperties": false, "properties": { "Encrypted": { - "markdownDescription": "Indicates whether the volume should be encrypted. If no value is specified, encryption is turned on by default. This parameter maps 1:1 with the `Encrypted` parameter of the [CreateVolume API](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateVolume.html) in the *Amazon EC2 API Reference* .", + "markdownDescription": "Indicates whether the volume should be encrypted. If you turn on Region-level Amazon EBS encryption by default but set this value as `false` , the setting is overridden and the volume is encrypted with the KMS key specified for Amazon EBS encryption by default. This parameter maps 1:1 with the `Encrypted` parameter of the [CreateVolume API](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateVolume.html) in the *Amazon EC2 API Reference* .", "title": "Encrypted", "type": "boolean" }, "FilesystemType": { - "markdownDescription": "The filesystem type for the volume. For volumes created from a snapshot, you must specify the same filesystem type that the volume was using when the snapshot was created. If there is a filesystem type mismatch, the task will fail to start.\n\nThe available Linux filesystem types are `ext3` , `ext4` , and `xfs` . If no value is specified, the `xfs` filesystem type is used by default.\n\nThe available Windows filesystem types are `NTFS` .", + "markdownDescription": "The filesystem type for the volume. For volumes created from a snapshot, you must specify the same filesystem type that the volume was using when the snapshot was created. If there is a filesystem type mismatch, the tasks will fail to start.\n\nThe available Linux filesystem types are `ext3` , `ext4` , and `xfs` . If no value is specified, the `xfs` filesystem type is used by default.\n\nThe available Windows filesystem types are `NTFS` .", "title": "FilesystemType", "type": "string" }, @@ -84080,7 +84058,7 @@ "type": "number" }, "KmsKeyId": { - "markdownDescription": "The Amazon Resource Name (ARN) identifier of the AWS Key Management Service key to use for Amazon EBS encryption. When encryption is turned on and no AWS Key Management Service key is specified, the default AWS managed key for Amazon EBS volumes is used. This parameter maps 1:1 with the `KmsKeyId` parameter of the [CreateVolume API](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateVolume.html) in the *Amazon EC2 API Reference* .\n\n> AWS authenticates the AWS Key Management Service key asynchronously. Therefore, if you specify an ID, alias, or ARN that is invalid, the action can appear to complete, but eventually fails.", + "markdownDescription": "The Amazon Resource Name (ARN) identifier of the AWS Key Management Service key to use for Amazon EBS encryption. When a key is specified using this parameter, it overrides Amazon EBS default encryption or any KMS key that you specified for cluster-level managed storage encryption. This parameter maps 1:1 with the `KmsKeyId` parameter of the [CreateVolume API](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateVolume.html) in the *Amazon EC2 API Reference* . For more information about encrypting Amazon EBS volumes attached to tasks, see [Encrypt data stored in Amazon EBS volumes attached to Amazon ECS tasks](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ebs-kms-encryption.html) .\n\n> AWS authenticates the AWS Key Management Service key asynchronously. Therefore, if you specify an ID, alias, or ARN that is invalid, the action can appear to complete, but eventually fails.", "title": "KmsKeyId", "type": "string" }, @@ -84095,7 +84073,7 @@ "type": "number" }, "SnapshotId": { - "markdownDescription": "The snapshot that Amazon ECS uses to create the volume. You must specify either a snapshot ID or a volume size. This parameter maps 1:1 with the `SnapshotId` parameter of the [CreateVolume API](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateVolume.html) in the *Amazon EC2 API Reference* .", + "markdownDescription": "The snapshot that Amazon ECS uses to create volumes for attachment to tasks maintained by the service. You must specify either `snapshotId` or `sizeInGiB` in your volume configuration. This parameter maps 1:1 with the `SnapshotId` parameter of the [CreateVolume API](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateVolume.html) in the *Amazon EC2 API Reference* .", "title": "SnapshotId", "type": "string" }, @@ -84228,7 +84206,7 @@ "type": "array" }, "Cpu": { - "markdownDescription": "The number of `cpu` units used by the task. If you use the EC2 launch type, this field is optional. Any value can be used. If you use the Fargate launch type, this field is required. You must use one of the following values. The value that you choose determines your range of valid values for the `memory` parameter.\n\nIf you're using the EC2 launch type or the external launch type, this field is optional. Supported values are between `128` CPU units ( `0.125` vCPUs) and `196608` CPU units ( `192` vCPUs). The CPU units cannot be less than 1 vCPU when you use Windows containers on Fargate.\n\n- 256 (.25 vCPU) - Available `memory` values: 512 (0.5 GB), 1024 (1 GB), 2048 (2 GB)\n- 512 (.5 vCPU) - Available `memory` values: 1024 (1 GB), 2048 (2 GB), 3072 (3 GB), 4096 (4 GB)\n- 1024 (1 vCPU) - Available `memory` values: 2048 (2 GB), 3072 (3 GB), 4096 (4 GB), 5120 (5 GB), 6144 (6 GB), 7168 (7 GB), 8192 (8 GB)\n- 2048 (2 vCPU) - Available `memory` values: 4096 (4 GB) and 16384 (16 GB) in increments of 1024 (1 GB)\n- 4096 (4 vCPU) - Available `memory` values: 8192 (8 GB) and 30720 (30 GB) in increments of 1024 (1 GB)\n- 8192 (8 vCPU) - Available `memory` values: 16 GB and 60 GB in 4 GB increments\n\nThis option requires Linux platform `1.4.0` or later.\n- 16384 (16vCPU) - Available `memory` values: 32GB and 120 GB in 8 GB increments\n\nThis option requires Linux platform `1.4.0` or later.", + "markdownDescription": "The number of `cpu` units used by the task. If you use the EC2 launch type, this field is optional. Any value can be used. If you use the Fargate launch type, this field is required. You must use one of the following values. The value that you choose determines your range of valid values for the `memory` parameter.\n\nIf you're using the EC2 launch type or the external launch type, this field is optional. Supported values are between `128` CPU units ( `0.125` vCPUs) and `196608` CPU units ( `192` vCPUs).\n\nThis field is required for Fargate. For information about the valid values, see [Task size](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#task_size) in the *Amazon Elastic Container Service Developer Guide* .", "title": "Cpu", "type": "string" }, @@ -84389,7 +84367,7 @@ "items": { "$ref": "#/definitions/AWS::ECS::TaskDefinition.ContainerDependency" }, - "markdownDescription": "The dependencies defined for container startup and shutdown. A container can contain multiple dependencies. When a dependency is defined for container startup, for container shutdown it is reversed.\n\nFor tasks using the EC2 launch type, the container instances require at least version 1.26.0 of the container agent to turn on container dependencies. However, we recommend using the latest container agent version. For information about checking your agent version and updating to the latest version, see [Updating the Amazon ECS Container Agent](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-agent-update.html) in the *Amazon Elastic Container Service Developer Guide* . If you're using an Amazon ECS-optimized Linux AMI, your instance needs at least version 1.26.0-1 of the `ecs-init` package. If your container instances are launched from version `20190301` or later, then they contain the required versions of the container agent and `ecs-init` . For more information, see [Amazon ECS-optimized Linux AMI](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html) in the *Amazon Elastic Container Service Developer Guide* .\n\nFor tasks using the Fargate launch type, the task or service requires the following platforms:\n\n- Linux platform version `1.3.0` or later.\n- Windows platform version `1.0.0` or later.\n\nIf the task definition is used in a blue/green deployment that uses [AWS::CodeDeploy::DeploymentGroup BlueGreenDeploymentConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-codedeploy-deploymentgroup-bluegreendeploymentconfiguration.html) , the `dependsOn` parameter is not supported. For more information see [Issue #680](https://docs.aws.amazon.com/https://github.com/aws-cloudformation/cloudformation-coverage-roadmap/issues/680) on the on the GitHub website.", + "markdownDescription": "The dependencies defined for container startup and shutdown. A container can contain multiple dependencies. When a dependency is defined for container startup, for container shutdown it is reversed.\n\nFor tasks using the EC2 launch type, the container instances require at least version 1.26.0 of the container agent to turn on container dependencies. However, we recommend using the latest container agent version. For information about checking your agent version and updating to the latest version, see [Updating the Amazon ECS Container Agent](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-agent-update.html) in the *Amazon Elastic Container Service Developer Guide* . If you're using an Amazon ECS-optimized Linux AMI, your instance needs at least version 1.26.0-1 of the `ecs-init` package. If your container instances are launched from version `20190301` or later, then they contain the required versions of the container agent and `ecs-init` . For more information, see [Amazon ECS-optimized Linux AMI](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html) in the *Amazon Elastic Container Service Developer Guide* .\n\nFor tasks using the Fargate launch type, the task or service requires the following platforms:\n\n- Linux platform version `1.3.0` or later.\n- Windows platform version `1.0.0` or later.\n\nIf the task definition is used in a blue/green deployment that uses [AWS::CodeDeploy::DeploymentGroup BlueGreenDeploymentConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-codedeploy-deploymentgroup-bluegreendeploymentconfiguration.html) , the `dependsOn` parameter is not supported.", "title": "DependsOn", "type": "array" }, @@ -85014,7 +84992,7 @@ }, "Options": { "additionalProperties": true, - "markdownDescription": "The configuration options to send to the log driver.\n\nThe options you can specify depend on the log driver. Some of the options you can specify when you use the `awslogs` log driver to route logs to Amazon CloudWatch include the following:\n\n- **awslogs-create-group** - Required: No\n\nSpecify whether you want the log group to be created automatically. If this option isn't specified, it defaults to `false` .\n\n> Your IAM policy must include the `logs:CreateLogGroup` permission before you attempt to use `awslogs-create-group` .\n- **awslogs-region** - Required: Yes\n\nSpecify the AWS Region that the `awslogs` log driver is to send your Docker logs to. You can choose to send all of your logs from clusters in different Regions to a single region in CloudWatch Logs. This is so that they're all visible in one location. Otherwise, you can separate them by Region for more granularity. Make sure that the specified log group exists in the Region that you specify with this option.\n- **awslogs-group** - Required: Yes\n\nMake sure to specify a log group that the `awslogs` log driver sends its log streams to.\n- **awslogs-stream-prefix** - Required: Yes, when using Fargate.Optional when using EC2.\n\nUse the `awslogs-stream-prefix` option to associate a log stream with the specified prefix, the container name, and the ID of the Amazon ECS task that the container belongs to. If you specify a prefix with this option, then the log stream takes the format `prefix-name/container-name/ecs-task-id` .\n\nIf you don't specify a prefix with this option, then the log stream is named after the container ID that's assigned by the Docker daemon on the container instance. Because it's difficult to trace logs back to the container that sent them with just the Docker container ID (which is only available on the container instance), we recommend that you specify a prefix with this option.\n\nFor Amazon ECS services, you can use the service name as the prefix. Doing so, you can trace log streams to the service that the container belongs to, the name of the container that sent them, and the ID of the task that the container belongs to.\n\nYou must specify a stream-prefix for your logs to have your logs appear in the Log pane when using the Amazon ECS console.\n- **awslogs-datetime-format** - Required: No\n\nThis option defines a multiline start pattern in Python `strftime` format. A log message consists of a line that matches the pattern and any following lines that don\u2019t match the pattern. The matched line is the delimiter between log messages.\n\nOne example of a use case for using this format is for parsing output such as a stack dump, which might otherwise be logged in multiple entries. The correct pattern allows it to be captured in a single entry.\n\nFor more information, see [awslogs-datetime-format](https://docs.aws.amazon.com/https://docs.docker.com/config/containers/logging/awslogs/#awslogs-datetime-format) .\n\nYou cannot configure both the `awslogs-datetime-format` and `awslogs-multiline-pattern` options.\n\n> Multiline logging performs regular expression parsing and matching of all log messages. This might have a negative impact on logging performance.\n- **awslogs-multiline-pattern** - Required: No\n\nThis option defines a multiline start pattern that uses a regular expression. A log message consists of a line that matches the pattern and any following lines that don\u2019t match the pattern. The matched line is the delimiter between log messages.\n\nFor more information, see [awslogs-multiline-pattern](https://docs.aws.amazon.com/https://docs.docker.com/config/containers/logging/awslogs/#awslogs-multiline-pattern) .\n\nThis option is ignored if `awslogs-datetime-format` is also configured.\n\nYou cannot configure both the `awslogs-datetime-format` and `awslogs-multiline-pattern` options.\n\n> Multiline logging performs regular expression parsing and matching of all log messages. This might have a negative impact on logging performance.\n\nThe following options apply to all supported log drivers.\n\n- **mode** - Required: No\n\nValid values: `non-blocking` | `blocking`\n\nThis option defines the delivery mode of log messages from the container to the log driver specified using `logDriver` . The delivery mode you choose affects application availability when the flow of logs from container is interrupted.\n\nIf you use the `blocking` mode and the flow of logs is interrupted, calls from container code to write to the `stdout` and `stderr` streams will block. The logging thread of the application will block as a result. This may cause the application to become unresponsive and lead to container healthcheck failure.\n\nIf you use the `non-blocking` mode, the container's logs are instead stored in an in-memory intermediate buffer configured with the `max-buffer-size` option. This prevents the application from becoming unresponsive when logs cannot be sent. We recommend using this mode if you want to ensure service availability and are okay with some log loss. For more information, see [Preventing log loss with non-blocking mode in the `awslogs` container log driver](https://docs.aws.amazon.com/containers/preventing-log-loss-with-non-blocking-mode-in-the-awslogs-container-log-driver/) .\n\nYou can set a default `mode` for all containers in a specific AWS Region by using the `defaultLogDriverMode` account setting. If you don't specify the `mode` option or configure the account setting, Amazon ECS will default to the `blocking` mode. For more information about the account setting, see [Default log driver mode](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-account-settings.html#default-log-driver-mode) in the *Amazon Elastic Container Service Developer Guide* .\n- **max-buffer-size** - Required: No\n\nDefault value: `1m`\n\nWhen `non-blocking` mode is used, the `max-buffer-size` log option controls the size of the buffer that's used for intermediate message storage. Make sure to specify an adequate buffer size based on your application. When the buffer fills up, further logs cannot be stored. Logs that cannot be stored are lost.\n\nTo route logs using the `splunk` log router, you need to specify a `splunk-token` and a `splunk-url` .\n\nWhen you use the `awsfirelens` log router to route logs to an AWS Service or AWS Partner Network destination for log storage and analytics, you can set the `log-driver-buffer-limit` option to limit the number of events that are buffered in memory, before being sent to the log router container. It can help to resolve potential log loss issue because high throughput might result in memory running out for the buffer inside of Docker.\n\nOther options you can specify when using `awsfirelens` to route logs depend on the destination. When you export logs to Amazon Data Firehose, you can specify the AWS Region with `region` and a name for the log stream with `delivery_stream` .\n\nWhen you export logs to Amazon Kinesis Data Streams, you can specify an AWS Region with `region` and a data stream name with `stream` .\n\nWhen you export logs to Amazon OpenSearch Service, you can specify options like `Name` , `Host` (OpenSearch Service endpoint without protocol), `Port` , `Index` , `Type` , `Aws_auth` , `Aws_region` , `Suppress_Type_Name` , and `tls` . For more information, see [Under the hood: FireLens for Amazon ECS Tasks](https://docs.aws.amazon.com/containers/under-the-hood-firelens-for-amazon-ecs-tasks/) .\n\nWhen you export logs to Amazon S3, you can specify the bucket using the `bucket` option. You can also specify `region` , `total_file_size` , `upload_timeout` , and `use_put_object` as options.\n\nThis parameter requires version 1.19 of the Docker Remote API or greater on your container instance. To check the Docker Remote API version on your container instance, log in to your container instance and run the following command: `sudo docker version --format '{{.Server.APIVersion}}'`", + "markdownDescription": "The configuration options to send to the log driver.\n\nThe options you can specify depend on the log driver. Some of the options you can specify when you use the `awslogs` log driver to route logs to Amazon CloudWatch include the following:\n\n- **awslogs-create-group** - Required: No\n\nSpecify whether you want the log group to be created automatically. If this option isn't specified, it defaults to `false` .\n\n> Your IAM policy must include the `logs:CreateLogGroup` permission before you attempt to use `awslogs-create-group` .\n- **awslogs-region** - Required: Yes\n\nSpecify the AWS Region that the `awslogs` log driver is to send your Docker logs to. You can choose to send all of your logs from clusters in different Regions to a single region in CloudWatch Logs. This is so that they're all visible in one location. Otherwise, you can separate them by Region for more granularity. Make sure that the specified log group exists in the Region that you specify with this option.\n- **awslogs-group** - Required: Yes\n\nMake sure to specify a log group that the `awslogs` log driver sends its log streams to.\n- **awslogs-stream-prefix** - Required: Yes, when using Fargate.Optional when using EC2.\n\nUse the `awslogs-stream-prefix` option to associate a log stream with the specified prefix, the container name, and the ID of the Amazon ECS task that the container belongs to. If you specify a prefix with this option, then the log stream takes the format `prefix-name/container-name/ecs-task-id` .\n\nIf you don't specify a prefix with this option, then the log stream is named after the container ID that's assigned by the Docker daemon on the container instance. Because it's difficult to trace logs back to the container that sent them with just the Docker container ID (which is only available on the container instance), we recommend that you specify a prefix with this option.\n\nFor Amazon ECS services, you can use the service name as the prefix. Doing so, you can trace log streams to the service that the container belongs to, the name of the container that sent them, and the ID of the task that the container belongs to.\n\nYou must specify a stream-prefix for your logs to have your logs appear in the Log pane when using the Amazon ECS console.\n- **awslogs-datetime-format** - Required: No\n\nThis option defines a multiline start pattern in Python `strftime` format. A log message consists of a line that matches the pattern and any following lines that don\u2019t match the pattern. The matched line is the delimiter between log messages.\n\nOne example of a use case for using this format is for parsing output such as a stack dump, which might otherwise be logged in multiple entries. The correct pattern allows it to be captured in a single entry.\n\nFor more information, see [awslogs-datetime-format](https://docs.aws.amazon.com/https://docs.docker.com/config/containers/logging/awslogs/#awslogs-datetime-format) .\n\nYou cannot configure both the `awslogs-datetime-format` and `awslogs-multiline-pattern` options.\n\n> Multiline logging performs regular expression parsing and matching of all log messages. This might have a negative impact on logging performance.\n- **awslogs-multiline-pattern** - Required: No\n\nThis option defines a multiline start pattern that uses a regular expression. A log message consists of a line that matches the pattern and any following lines that don\u2019t match the pattern. The matched line is the delimiter between log messages.\n\nFor more information, see [awslogs-multiline-pattern](https://docs.aws.amazon.com/https://docs.docker.com/config/containers/logging/awslogs/#awslogs-multiline-pattern) .\n\nThis option is ignored if `awslogs-datetime-format` is also configured.\n\nYou cannot configure both the `awslogs-datetime-format` and `awslogs-multiline-pattern` options.\n\n> Multiline logging performs regular expression parsing and matching of all log messages. This might have a negative impact on logging performance.\n\nThe following options apply to all supported log drivers.\n\n- **mode** - Required: No\n\nValid values: `non-blocking` | `blocking`\n\nThis option defines the delivery mode of log messages from the container to the log driver specified using `logDriver` . The delivery mode you choose affects application availability when the flow of logs from container is interrupted.\n\nIf you use the `blocking` mode and the flow of logs is interrupted, calls from container code to write to the `stdout` and `stderr` streams will block. The logging thread of the application will block as a result. This may cause the application to become unresponsive and lead to container healthcheck failure.\n\nIf you use the `non-blocking` mode, the container's logs are instead stored in an in-memory intermediate buffer configured with the `max-buffer-size` option. This prevents the application from becoming unresponsive when logs cannot be sent. We recommend using this mode if you want to ensure service availability and are okay with some log loss. For more information, see [Preventing log loss with non-blocking mode in the `awslogs` container log driver](https://docs.aws.amazon.com/containers/preventing-log-loss-with-non-blocking-mode-in-the-awslogs-container-log-driver/) .\n\nYou can set a default `mode` for all containers in a specific AWS Region by using the `defaultLogDriverMode` account setting. If you don't specify the `mode` option or configure the account setting, Amazon ECS will default to the `blocking` mode. For more information about the account setting, see [Default log driver mode](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-account-settings.html#default-log-driver-mode) in the *Amazon Elastic Container Service Developer Guide* .\n\n> On June 25, 2025, Amazon ECS is changing the default log driver mode from `blocking` to `non-blocking` to prioritize task availability over logging. To continue using the `blocking` mode after this change, do one of the following:\n> \n> - Set the `mode` option in your container definition's `logConfiguration` as `blocking` .\n> - Set the `defaultLogDriverMode` account setting to `blocking` .\n- **max-buffer-size** - Required: No\n\nDefault value: `1m`\n\nWhen `non-blocking` mode is used, the `max-buffer-size` log option controls the size of the buffer that's used for intermediate message storage. Make sure to specify an adequate buffer size based on your application. When the buffer fills up, further logs cannot be stored. Logs that cannot be stored are lost.\n\nTo route logs using the `splunk` log router, you need to specify a `splunk-token` and a `splunk-url` .\n\nWhen you use the `awsfirelens` log router to route logs to an AWS Service or AWS Partner Network destination for log storage and analytics, you can set the `log-driver-buffer-limit` option to limit the number of events that are buffered in memory, before being sent to the log router container. It can help to resolve potential log loss issue because high throughput might result in memory running out for the buffer inside of Docker.\n\nOther options you can specify when using `awsfirelens` to route logs depend on the destination. When you export logs to Amazon Data Firehose, you can specify the AWS Region with `region` and a name for the log stream with `delivery_stream` .\n\nWhen you export logs to Amazon Kinesis Data Streams, you can specify an AWS Region with `region` and a data stream name with `stream` .\n\nWhen you export logs to Amazon OpenSearch Service, you can specify options like `Name` , `Host` (OpenSearch Service endpoint without protocol), `Port` , `Index` , `Type` , `Aws_auth` , `Aws_region` , `Suppress_Type_Name` , and `tls` . For more information, see [Under the hood: FireLens for Amazon ECS Tasks](https://docs.aws.amazon.com/containers/under-the-hood-firelens-for-amazon-ecs-tasks/) .\n\nWhen you export logs to Amazon S3, you can specify the bucket using the `bucket` option. You can also specify `region` , `total_file_size` , `upload_timeout` , and `use_put_object` as options.\n\nThis parameter requires version 1.19 of the Docker Remote API or greater on your container instance. To check the Docker Remote API version on your container instance, log in to your container instance and run the following command: `sudo docker version --format '{{.Server.APIVersion}}'`", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" @@ -85197,7 +85175,7 @@ "type": "string" }, "Value": { - "markdownDescription": "The namespaced kernel parameter to set a `value` for.\n\nValid IPC namespace values: `\"kernel.msgmax\" | \"kernel.msgmnb\" | \"kernel.msgmni\" | \"kernel.sem\" | \"kernel.shmall\" | \"kernel.shmmax\" | \"kernel.shmmni\" | \"kernel.shm_rmid_forced\"` , and `Sysctls` that start with `\"fs.mqueue.*\"`\n\nValid network namespace values: `Sysctls` that start with `\"net.*\"`\n\nAll of these values are supported by Fargate.", + "markdownDescription": "The namespaced kernel parameter to set a `value` for.\n\nValid IPC namespace values: `\"kernel.msgmax\" | \"kernel.msgmnb\" | \"kernel.msgmni\" | \"kernel.sem\" | \"kernel.shmall\" | \"kernel.shmmax\" | \"kernel.shmmni\" | \"kernel.shm_rmid_forced\"` , and `Sysctls` that start with `\"fs.mqueue.*\"`\n\nValid network namespace values: `Sysctls` that start with `\"net.*\"` . Only namespaced `Sysctls` that exist within the container starting with \"net.* are accepted.\n\nAll of these values are supported by Fargate.", "title": "Value", "type": "string" } @@ -86578,12 +86556,12 @@ "additionalProperties": false, "properties": { "EndpointPrivateAccess": { - "markdownDescription": "Set this value to `true` to enable private access for your cluster's Kubernetes API server endpoint. If you enable private access, Kubernetes API requests from within your cluster's VPC use the private VPC endpoint. The default value for this parameter is `false` , which disables private access for your Kubernetes API server. If you disable private access and you have nodes or AWS Fargate pods in the cluster, then ensure that `publicAccessCidrs` includes the necessary CIDR blocks for communication with the nodes or Fargate pods. For more information, see [Amazon EKS cluster endpoint access control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) in the **Amazon EKS User Guide** .", + "markdownDescription": "Set this value to `true` to enable private access for your cluster's Kubernetes API server endpoint. If you enable private access, Kubernetes API requests from within your cluster's VPC use the private VPC endpoint. The default value for this parameter is `false` , which disables private access for your Kubernetes API server. If you disable private access and you have nodes or AWS Fargate pods in the cluster, then ensure that `publicAccessCidrs` includes the necessary CIDR blocks for communication with the nodes or Fargate pods. For more information, see [Cluster API server endpoint](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) in the **Amazon EKS User Guide** .", "title": "EndpointPrivateAccess", "type": "boolean" }, "EndpointPublicAccess": { - "markdownDescription": "Set this value to `false` to disable public access to your cluster's Kubernetes API server endpoint. If you disable public access, your cluster's Kubernetes API server can only receive requests from within the cluster VPC. The default value for this parameter is `true` , which enables public access for your Kubernetes API server. For more information, see [Amazon EKS cluster endpoint access control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) in the **Amazon EKS User Guide** .", + "markdownDescription": "Set this value to `false` to disable public access to your cluster's Kubernetes API server endpoint. If you disable public access, your cluster's Kubernetes API server can only receive requests from within the cluster VPC. The default value for this parameter is `true` , which enables public access for your Kubernetes API server. The endpoint domain name and IP address family depends on the value of the `ipFamily` for the cluster. For more information, see [Cluster API server endpoint](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) in the **Amazon EKS User Guide** .", "title": "EndpointPublicAccess", "type": "boolean" }, @@ -86591,7 +86569,7 @@ "items": { "type": "string" }, - "markdownDescription": "The CIDR blocks that are allowed access to your cluster's public Kubernetes API server endpoint. Communication to the endpoint from addresses outside of the CIDR blocks that you specify is denied. The default value is `0.0.0.0/0` . If you've disabled private endpoint access, make sure that you specify the necessary CIDR blocks for every node and AWS Fargate `Pod` in the cluster. For more information, see [Amazon EKS cluster endpoint access control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) in the **Amazon EKS User Guide** .", + "markdownDescription": "The CIDR blocks that are allowed access to your cluster's public Kubernetes API server endpoint. Communication to the endpoint from addresses outside of the CIDR blocks that you specify is denied. The default value is `0.0.0.0/0` and additionally `::/0` for dual-stack `IPv6` clusters. If you've disabled private endpoint access, make sure that you specify the necessary CIDR blocks for every node and AWS Fargate `Pod` in the cluster. For more information, see [Cluster API server endpoint](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) in the **Amazon EKS User Guide** .\n\nNote that the public endpoints are dual-stack for only `IPv6` clusters that are made after October 2024. You can't add `IPv6` CIDR blocks to `IPv4` clusters or `IPv6` clusters that were made before October 2024.", "title": "PublicAccessCidrs", "type": "array" }, @@ -90891,7 +90869,7 @@ "type": "string" }, "ClusterMode": { - "markdownDescription": "Enabled or Disabled. To modify cluster mode from Disabled to Enabled, you must first set the cluster mode to Compatible. Compatible mode allows your Valkey or Redis OSS clients to connect using both cluster mode enabled and cluster mode disabled. After you migrate all Valkey or Redis OSS clients to use cluster mode enabled, you can then complete cluster mode configuration and set the cluster mode to Enabled. For more information, see [Modify cluster mode](https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/modify-cluster-mode.html) .", + "markdownDescription": "The mode can be enabled or disabled. To change the cluster mode from disabled to enabled, you must first set the cluster mode to compatible. The compatible mode allows your Valkey or Redis OSS clients to connect using both cluster mode enabled and cluster mode disabled. After you migrate all Valkey or Redis OSS clients to use cluster mode enabled, you can then complete cluster mode configuration and set the cluster mode to enabled. For more information, see [Modify cluster mode](https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/modify-cluster-mode.html) .", "title": "ClusterMode", "type": "string" }, @@ -92943,7 +92921,7 @@ "type": "string" }, "SslPolicy": { - "markdownDescription": "[HTTPS and TLS listeners] The security policy that defines which protocols and ciphers are supported.\n\nUpdating the security policy can result in interruptions if the load balancer is handling a high volume of traffic.\n\nFor more information, see [Security policies](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html#describe-ssl-policies) in the *Application Load Balancers Guide* and [Security policies](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-tls-listener.html#describe-ssl-policies) in the *Network Load Balancers Guide* .", + "markdownDescription": "[HTTPS and TLS listeners] The security policy that defines which protocols and ciphers are supported. For more information, see [Security policies](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/describe-ssl-policies.html) in the *Application Load Balancers Guide* and [Security policies](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) in the *Network Load Balancers Guide* .\n\n[HTTPS listeners] Updating the security policy can result in interruptions if the load balancer is handling a high volume of traffic. To decrease the possibility of an interruption if your load balancer is handling a high volume of traffic, create an additional load balancer or request an LCU reservation.", "title": "SslPolicy", "type": "string" } @@ -93278,7 +93256,7 @@ "additionalProperties": false, "properties": { "DurationSeconds": { - "markdownDescription": "The time period, in seconds, during which requests from a client should be routed to the same target group. The range is 1-604800 seconds (7 days).", + "markdownDescription": "The time period, in seconds, during which requests from a client should be routed to the same target group. The range is 1-604800 seconds (7 days). You must specify this value when enabling target group stickiness.", "title": "DurationSeconds", "type": "number" }, @@ -93718,7 +93696,7 @@ "items": { "type": "string" }, - "markdownDescription": "The host names. The maximum size of each name is 128 characters. The comparison is case insensitive. The following wildcard characters are supported: * (matches 0 or more characters) and ? (matches exactly 1 character).\n\nIf you specify multiple strings, the condition is satisfied if one of the strings matches the host name.", + "markdownDescription": "The host names. The maximum size of each name is 128 characters. The comparison is case insensitive. The following wildcard characters are supported: * (matches 0 or more characters) and ? (matches exactly 1 character). You must include at least one \".\" character. You can include only alphabetical characters after the final \".\" character.\n\nIf you specify multiple strings, the condition is satisfied if one of the strings matches the host name.", "title": "Values", "type": "array" } @@ -93908,7 +93886,7 @@ "additionalProperties": false, "properties": { "DurationSeconds": { - "markdownDescription": "The time period, in seconds, during which requests from a client should be routed to the same target group. The range is 1-604800 seconds (7 days).", + "markdownDescription": "The time period, in seconds, during which requests from a client should be routed to the same target group. The range is 1-604800 seconds (7 days). You must specify this value when enabling target group stickiness.", "title": "DurationSeconds", "type": "number" }, @@ -93972,7 +93950,7 @@ "additionalProperties": false, "properties": { "EnforceSecurityGroupInboundRulesOnPrivateLinkTraffic": { - "markdownDescription": "Indicates whether to evaluate inbound security group rules for traffic sent to a Network Load Balancer through AWS PrivateLink . The default is `on` .", + "markdownDescription": "Indicates whether to evaluate inbound security group rules for traffic sent to a Network Load Balancer through AWS PrivateLink . The default is `on` .\n\nYou can't configure this property on a Network Load Balancer unless you associated a security group with the load balancer when you created it.", "title": "EnforceSecurityGroupInboundRulesOnPrivateLinkTraffic", "type": "string" }, @@ -93985,7 +93963,7 @@ "items": { "$ref": "#/definitions/AWS::ElasticLoadBalancingV2::LoadBalancer.LoadBalancerAttribute" }, - "markdownDescription": "The load balancer attributes.", + "markdownDescription": "The load balancer attributes. Attributes that you do not modify retain their current values.", "title": "LoadBalancerAttributes", "type": "array" }, @@ -94216,7 +94194,7 @@ "items": { "$ref": "#/definitions/AWS::ElasticLoadBalancingV2::TargetGroup.TargetGroupAttribute" }, - "markdownDescription": "The target group attributes.", + "markdownDescription": "The target group attributes. Attributes that you do not modify retain their current values.", "title": "TargetGroupAttributes", "type": "array" }, @@ -94310,7 +94288,7 @@ "additionalProperties": false, "properties": { "Key": { - "markdownDescription": "The name of the attribute.\n\nThe following attributes are supported by all load balancers:\n\n- `deregistration_delay.timeout_seconds` - The amount of time, in seconds, for Elastic Load Balancing to wait before changing the state of a deregistering target from `draining` to `unused` . The range is 0-3600 seconds. The default value is 300 seconds. If the target is a Lambda function, this attribute is not supported.\n- `stickiness.enabled` - Indicates whether target stickiness is enabled. The value is `true` or `false` . The default is `false` .\n- `stickiness.type` - Indicates the type of stickiness. The possible values are:\n\n- `lb_cookie` and `app_cookie` for Application Load Balancers.\n- `source_ip` for Network Load Balancers.\n- `source_ip_dest_ip` and `source_ip_dest_ip_proto` for Gateway Load Balancers.\n\nThe following attributes are supported by Application Load Balancers and Network Load Balancers:\n\n- `load_balancing.cross_zone.enabled` - Indicates whether cross zone load balancing is enabled. The value is `true` , `false` or `use_load_balancer_configuration` . The default is `use_load_balancer_configuration` .\n- `target_group_health.dns_failover.minimum_healthy_targets.count` - The minimum number of targets that must be healthy. If the number of healthy targets is below this value, mark the zone as unhealthy in DNS, so that traffic is routed only to healthy zones. The possible values are `off` or an integer from 1 to the maximum number of targets. The default is `off` .\n- `target_group_health.dns_failover.minimum_healthy_targets.percentage` - The minimum percentage of targets that must be healthy. If the percentage of healthy targets is below this value, mark the zone as unhealthy in DNS, so that traffic is routed only to healthy zones. The possible values are `off` or an integer from 1 to 100. The default is `off` .\n- `target_group_health.unhealthy_state_routing.minimum_healthy_targets.count` - The minimum number of targets that must be healthy. If the number of healthy targets is below this value, send traffic to all targets, including unhealthy targets. The possible values are 1 to the maximum number of targets. The default is 1.\n- `target_group_health.unhealthy_state_routing.minimum_healthy_targets.percentage` - The minimum percentage of targets that must be healthy. If the percentage of healthy targets is below this value, send traffic to all targets, including unhealthy targets. The possible values are `off` or an integer from 1 to 100. The default is `off` .\n\nThe following attributes are supported only if the load balancer is an Application Load Balancer and the target is an instance or an IP address:\n\n- `load_balancing.algorithm.type` - The load balancing algorithm determines how the load balancer selects targets when routing requests. The value is `round_robin` , `least_outstanding_requests` , or `weighted_random` . The default is `round_robin` .\n- `load_balancing.algorithm.anomaly_mitigation` - Only available when `load_balancing.algorithm.type` is `weighted_random` . Indicates whether anomaly mitigation is enabled. The value is `on` or `off` . The default is `off` .\n- `slow_start.duration_seconds` - The time period, in seconds, during which a newly registered target receives an increasing share of the traffic to the target group. After this time period ends, the target receives its full share of traffic. The range is 30-900 seconds (15 minutes). The default is 0 seconds (disabled).\n- `stickiness.app_cookie.cookie_name` - Indicates the name of the application-based cookie. Names that start with the following prefixes are not allowed: `AWSALB` , `AWSALBAPP` , and `AWSALBTG` ; they're reserved for use by the load balancer.\n- `stickiness.app_cookie.duration_seconds` - The time period, in seconds, during which requests from a client should be routed to the same target. After this time period expires, the application-based cookie is considered stale. The range is 1 second to 1 week (604800 seconds). The default value is 1 day (86400 seconds).\n- `stickiness.lb_cookie.duration_seconds` - The time period, in seconds, during which requests from a client should be routed to the same target. After this time period expires, the load balancer-generated cookie is considered stale. The range is 1 second to 1 week (604800 seconds). The default value is 1 day (86400 seconds).\n\nThe following attribute is supported only if the load balancer is an Application Load Balancer and the target is a Lambda function:\n\n- `lambda.multi_value_headers.enabled` - Indicates whether the request and response headers that are exchanged between the load balancer and the Lambda function include arrays of values or strings. The value is `true` or `false` . The default is `false` . If the value is `false` and the request contains a duplicate header field name or query parameter key, the load balancer uses the last value sent by the client.\n\nThe following attributes are supported only by Network Load Balancers:\n\n- `deregistration_delay.connection_termination.enabled` - Indicates whether the load balancer terminates connections at the end of the deregistration timeout. The value is `true` or `false` . For new UDP/TCP_UDP target groups the default is `true` . Otherwise, the default is `false` .\n- `preserve_client_ip.enabled` - Indicates whether client IP preservation is enabled. The value is `true` or `false` . The default is disabled if the target group type is IP address and the target group protocol is TCP or TLS. Otherwise, the default is enabled. Client IP preservation can't be disabled for UDP and TCP_UDP target groups.\n- `proxy_protocol_v2.enabled` - Indicates whether Proxy Protocol version 2 is enabled. The value is `true` or `false` . The default is `false` .\n- `target_health_state.unhealthy.connection_termination.enabled` - Indicates whether the load balancer terminates connections to unhealthy targets. The value is `true` or `false` . The default is `true` . This attribute can't be enabled for UDP and TCP_UDP target groups.\n- `target_health_state.unhealthy.draining_interval_seconds` - The amount of time for Elastic Load Balancing to wait before changing the state of an unhealthy target from `unhealthy.draining` to `unhealthy` . The range is 0-360000 seconds. The default value is 0 seconds.\n\nNote: This attribute can only be configured when `target_health_state.unhealthy.connection_termination.enabled` is `false` .\n\nThe following attributes are supported only by Gateway Load Balancers:\n\n- `target_failover.on_deregistration` - Indicates how the Gateway Load Balancer handles existing flows when a target is deregistered. The possible values are `rebalance` and `no_rebalance` . The default is `no_rebalance` . The two attributes ( `target_failover.on_deregistration` and `target_failover.on_unhealthy` ) can't be set independently. The value you set for both attributes must be the same.\n- `target_failover.on_unhealthy` - Indicates how the Gateway Load Balancer handles existing flows when a target is unhealthy. The possible values are `rebalance` and `no_rebalance` . The default is `no_rebalance` . The two attributes ( `target_failover.on_deregistration` and `target_failover.on_unhealthy` ) can't be set independently. The value you set for both attributes must be the same.", + "markdownDescription": "The name of the attribute.\n\nThe following attributes are supported by all load balancers:\n\n- `deregistration_delay.timeout_seconds` - The amount of time, in seconds, for Elastic Load Balancing to wait before changing the state of a deregistering target from `draining` to `unused` . The range is 0-3600 seconds. The default value is 300 seconds. If the target is a Lambda function, this attribute is not supported.\n- `stickiness.enabled` - Indicates whether target stickiness is enabled. The value is `true` or `false` . The default is `false` .\n- `stickiness.type` - Indicates the type of stickiness. The possible values are:\n\n- `lb_cookie` and `app_cookie` for Application Load Balancers.\n- `source_ip` for Network Load Balancers.\n- `source_ip_dest_ip` and `source_ip_dest_ip_proto` for Gateway Load Balancers.\n\nThe following attributes are supported by Application Load Balancers and Network Load Balancers:\n\n- `load_balancing.cross_zone.enabled` - Indicates whether cross zone load balancing is enabled. The value is `true` , `false` or `use_load_balancer_configuration` . The default is `use_load_balancer_configuration` .\n- `target_group_health.dns_failover.minimum_healthy_targets.count` - The minimum number of targets that must be healthy. If the number of healthy targets is below this value, mark the zone as unhealthy in DNS, so that traffic is routed only to healthy zones. The possible values are `off` or an integer from 1 to the maximum number of targets. The default is 1.\n- `target_group_health.dns_failover.minimum_healthy_targets.percentage` - The minimum percentage of targets that must be healthy. If the percentage of healthy targets is below this value, mark the zone as unhealthy in DNS, so that traffic is routed only to healthy zones. The possible values are `off` or an integer from 1 to 100. The default is `off` .\n- `target_group_health.unhealthy_state_routing.minimum_healthy_targets.count` - The minimum number of targets that must be healthy. If the number of healthy targets is below this value, send traffic to all targets, including unhealthy targets. The possible values are 1 to the maximum number of targets. The default is 1.\n- `target_group_health.unhealthy_state_routing.minimum_healthy_targets.percentage` - The minimum percentage of targets that must be healthy. If the percentage of healthy targets is below this value, send traffic to all targets, including unhealthy targets. The possible values are `off` or an integer from 1 to 100. The default is `off` .\n\nThe following attributes are supported only if the load balancer is an Application Load Balancer and the target is an instance or an IP address:\n\n- `load_balancing.algorithm.type` - The load balancing algorithm determines how the load balancer selects targets when routing requests. The value is `round_robin` , `least_outstanding_requests` , or `weighted_random` . The default is `round_robin` .\n- `load_balancing.algorithm.anomaly_mitigation` - Only available when `load_balancing.algorithm.type` is `weighted_random` . Indicates whether anomaly mitigation is enabled. The value is `on` or `off` . The default is `off` .\n- `slow_start.duration_seconds` - The time period, in seconds, during which a newly registered target receives an increasing share of the traffic to the target group. After this time period ends, the target receives its full share of traffic. The range is 30-900 seconds (15 minutes). The default is 0 seconds (disabled).\n- `stickiness.app_cookie.cookie_name` - Indicates the name of the application-based cookie. Names that start with the following prefixes are not allowed: `AWSALB` , `AWSALBAPP` , and `AWSALBTG` ; they're reserved for use by the load balancer.\n- `stickiness.app_cookie.duration_seconds` - The time period, in seconds, during which requests from a client should be routed to the same target. After this time period expires, the application-based cookie is considered stale. The range is 1 second to 1 week (604800 seconds). The default value is 1 day (86400 seconds).\n- `stickiness.lb_cookie.duration_seconds` - The time period, in seconds, during which requests from a client should be routed to the same target. After this time period expires, the load balancer-generated cookie is considered stale. The range is 1 second to 1 week (604800 seconds). The default value is 1 day (86400 seconds).\n\nThe following attribute is supported only if the load balancer is an Application Load Balancer and the target is a Lambda function:\n\n- `lambda.multi_value_headers.enabled` - Indicates whether the request and response headers that are exchanged between the load balancer and the Lambda function include arrays of values or strings. The value is `true` or `false` . The default is `false` . If the value is `false` and the request contains a duplicate header field name or query parameter key, the load balancer uses the last value sent by the client.\n\nThe following attributes are supported only by Network Load Balancers:\n\n- `deregistration_delay.connection_termination.enabled` - Indicates whether the load balancer terminates connections at the end of the deregistration timeout. The value is `true` or `false` . For new UDP/TCP_UDP target groups the default is `true` . Otherwise, the default is `false` .\n- `preserve_client_ip.enabled` - Indicates whether client IP preservation is enabled. The value is `true` or `false` . The default is disabled if the target group type is IP address and the target group protocol is TCP or TLS. Otherwise, the default is enabled. Client IP preservation can't be disabled for UDP and TCP_UDP target groups.\n- `proxy_protocol_v2.enabled` - Indicates whether Proxy Protocol version 2 is enabled. The value is `true` or `false` . The default is `false` .\n- `target_health_state.unhealthy.connection_termination.enabled` - Indicates whether the load balancer terminates connections to unhealthy targets. The value is `true` or `false` . The default is `true` . This attribute can't be enabled for UDP and TCP_UDP target groups.\n- `target_health_state.unhealthy.draining_interval_seconds` - The amount of time for Elastic Load Balancing to wait before changing the state of an unhealthy target from `unhealthy.draining` to `unhealthy` . The range is 0-360000 seconds. The default value is 0 seconds.\n\nNote: This attribute can only be configured when `target_health_state.unhealthy.connection_termination.enabled` is `false` .\n\nThe following attributes are supported only by Gateway Load Balancers:\n\n- `target_failover.on_deregistration` - Indicates how the Gateway Load Balancer handles existing flows when a target is deregistered. The possible values are `rebalance` and `no_rebalance` . The default is `no_rebalance` . The two attributes ( `target_failover.on_deregistration` and `target_failover.on_unhealthy` ) can't be set independently. The value you set for both attributes must be the same.\n- `target_failover.on_unhealthy` - Indicates how the Gateway Load Balancer handles existing flows when a target is unhealthy. The possible values are `rebalance` and `no_rebalance` . The default is `no_rebalance` . The two attributes ( `target_failover.on_deregistration` and `target_failover.on_unhealthy` ) can't be set independently. The value you set for both attributes must be the same.", "title": "Key", "type": "string" }, @@ -95860,7 +95838,7 @@ "type": "string" }, "Type": { - "markdownDescription": "The type of the attribute, selected from a list of values.\n\n> Normalization is only supported for `NAME` , `ADDRESS` , `PHONE` , and `EMAIL_ADDRESS` .\n> \n> If you want to normalize `NAME_FIRST` , `NAME_MIDDLE` , and `NAME_LAST` , you must group them by assigning them to the `NAME` `groupName` .\n> \n> If you want to normalize `ADDRESS_STREET1` , `ADDRESS_STREET2` , `ADDRESS_STREET3` , `ADDRESS_CITY` , `ADDRESS_STATE` , `ADDRESS_COUNTRY` , and `ADDRESS_POSTALCODE` , you must group them by assigning them to the `ADDRESS` `groupName` .\n> \n> If you want to normalize `PHONE_NUMBER` and `PHONE_COUNTRYCODE` , you must group them by assigning them to the `PHONE` `groupName` .", + "markdownDescription": "The type of the attribute, selected from a list of values.\n\nLiveRamp supports: `NAME` | `NAME_FIRST` | `NAME_MIDDLE` | `NAME_LAST` | `ADDRESS` | `ADDRESS_STREET1` | `ADDRESS_STREET2` | `ADDRESS_STREET3` | `ADDRESS_CITY` | `ADDRESS_STATE` | `ADDRESS_COUNTRY` | `ADDRESS_POSTALCODE` | `PHONE` | `PHONE_NUMBER` | `EMAIL_ADDRESS` | `UNIQUE_ID` | `PROVIDER_ID`\n\nTransUnion supports: `NAME` | `NAME_FIRST` | `NAME_LAST` | `ADDRESS` | `ADDRESS_CITY` | `ADDRESS_STATE` | `ADDRESS_COUNTRY` | `ADDRESS_POSTALCODE` | `PHONE_NUMBER` | `EMAIL_ADDRESS` | `UNIQUE_ID` | `IPV4` | `IPV6` | `MAID`\n\nUnified ID 2.0 supports: `PHONE_NUMBER` | `EMAIL_ADDRESS` | `UNIQUE_ID`\n\n> Normalization is only supported for `NAME` , `ADDRESS` , `PHONE` , and `EMAIL_ADDRESS` .\n> \n> If you want to normalize `NAME_FIRST` , `NAME_MIDDLE` , and `NAME_LAST` , you must group them by assigning them to the `NAME` `groupName` .\n> \n> If you want to normalize `ADDRESS_STREET1` , `ADDRESS_STREET2` , `ADDRESS_STREET3` , `ADDRESS_CITY` , `ADDRESS_STATE` , `ADDRESS_COUNTRY` , and `ADDRESS_POSTALCODE` , you must group them by assigning them to the `ADDRESS` `groupName` .\n> \n> If you want to normalize `PHONE_NUMBER` and `PHONE_COUNTRYCODE` , you must group them by assigning them to the `PHONE` `groupName` .", "title": "Type", "type": "string" } @@ -99853,7 +99831,7 @@ "type": "number" }, "StorageType": { - "markdownDescription": "Sets the storage class for the file system that you're creating. Valid values are `SSD` , `HDD` , and `INTELLIGENT_TIERING` .\n\n- Set to `SSD` to use solid state drive storage. SSD is supported on all Windows, Lustre, ONTAP, and OpenZFS deployment types.\n- Set to `HDD` to use hard disk drive storage, which is supported on `SINGLE_AZ_2` and `MULTI_AZ_1` Windows file system deployment types, and on `PERSISTENT_1` Lustre file system deployment types.\n- Set to `INTELLIGENT_TIERING` to use fully elastic, intelligently-tiered storage. Intelligent-Tiering is only available for OpenZFS file systems with the Multi-AZ deployment type.\n\nDefault value is `SSD` . For more information, see [Storage type options](https://docs.aws.amazon.com/fsx/latest/WindowsGuide/optimize-fsx-costs.html#storage-type-options) in the *FSx for Windows File Server User Guide* , [Multiple storage options](https://docs.aws.amazon.com/fsx/latest/LustreGuide/what-is.html#storage-options) in the *FSx for Lustre User Guide* , and [Working with Intelligent-Tiering](https://docs.aws.amazon.com/fsx/latest/OpenZFSGuide/performance-intelligent-tiering) in the *Amazon FSx for OpenZFS User Guide* .", + "markdownDescription": "Sets the storage class for the file system that you're creating. Valid values are `SSD` , `HDD` , and `INTELLIGENT_TIERING` .\n\n- Set to `SSD` to use solid state drive storage. SSD is supported on all Windows, Lustre, ONTAP, and OpenZFS deployment types.\n- Set to `HDD` to use hard disk drive storage, which is supported on `SINGLE_AZ_2` and `MULTI_AZ_1` Windows file system deployment types, and on `PERSISTENT_1` Lustre file system deployment types.\n- Set to `INTELLIGENT_TIERING` to use fully elastic, intelligently-tiered storage. Intelligent-Tiering is only available for OpenZFS file systems with the Multi-AZ deployment type and for Lustre file systems with the Persistent_2 deployment type.\n\nDefault value is `SSD` . For more information, see [Storage type options](https://docs.aws.amazon.com/fsx/latest/WindowsGuide/optimize-fsx-costs.html#storage-type-options) in the *FSx for Windows File Server User Guide* , [FSx for Lustre storage classes](https://docs.aws.amazon.com/fsx/latest/LustreGuide/using-fsx-lustre.html#lustre-storage-classes) in the *FSx for Lustre User Guide* , and [Working with Intelligent-Tiering](https://docs.aws.amazon.com/fsx/latest/OpenZFSGuide/performance-intelligent-tiering) in the *Amazon FSx for OpenZFS User Guide* .", "title": "StorageType", "type": "string" }, @@ -99995,7 +99973,7 @@ "type": "string" }, "DeploymentType": { - "markdownDescription": "(Optional) Choose `SCRATCH_1` and `SCRATCH_2` deployment types when you need temporary storage and shorter-term processing of data. The `SCRATCH_2` deployment type provides in-transit encryption of data and higher burst throughput capacity than `SCRATCH_1` .\n\nChoose `PERSISTENT_1` for longer-term storage and for throughput-focused workloads that aren\u2019t latency-sensitive. `PERSISTENT_1` supports encryption of data in transit, and is available in all AWS Regions in which FSx for Lustre is available.\n\nChoose `PERSISTENT_2` for longer-term storage and for latency-sensitive workloads that require the highest levels of IOPS/throughput. `PERSISTENT_2` supports SSD storage, and offers higher `PerUnitStorageThroughput` (up to 1000 MB/s/TiB). You can optionally specify a metadata configuration mode for `PERSISTENT_2` which supports increasing metadata performance. `PERSISTENT_2` is available in a limited number of AWS Regions . For more information, and an up-to-date list of AWS Regions in which `PERSISTENT_2` is available, see [File system deployment options for FSx for Lustre](https://docs.aws.amazon.com/fsx/latest/LustreGuide/using-fsx-lustre.html#lustre-deployment-types) in the *Amazon FSx for Lustre User Guide* .\n\n> If you choose `PERSISTENT_2` , and you set `FileSystemTypeVersion` to `2.10` , the `CreateFileSystem` operation fails. \n\nEncryption of data in transit is automatically turned on when you access `SCRATCH_2` , `PERSISTENT_1` , and `PERSISTENT_2` file systems from Amazon EC2 instances that support automatic encryption in the AWS Regions where they are available. For more information about encryption in transit for FSx for Lustre file systems, see [Encrypting data in transit](https://docs.aws.amazon.com/fsx/latest/LustreGuide/encryption-in-transit-fsxl.html) in the *Amazon FSx for Lustre User Guide* .\n\n(Default = `SCRATCH_1` )", + "markdownDescription": "(Optional) Choose `SCRATCH_1` and `SCRATCH_2` deployment types when you need temporary storage and shorter-term processing of data. The `SCRATCH_2` deployment type provides in-transit encryption of data and higher burst throughput capacity than `SCRATCH_1` .\n\nChoose `PERSISTENT_1` for longer-term storage and for throughput-focused workloads that aren\u2019t latency-sensitive. `PERSISTENT_1` supports encryption of data in transit, and is available in all AWS Regions in which FSx for Lustre is available.\n\nChoose `PERSISTENT_2` for longer-term storage and for latency-sensitive workloads that require the highest levels of IOPS/throughput. `PERSISTENT_2` supports the SSD and Intelligent-Tiering storage classes. You can optionally specify a metadata configuration mode for `PERSISTENT_2` which supports increasing metadata performance. `PERSISTENT_2` is available in a limited number of AWS Regions . For more information, and an up-to-date list of AWS Regions in which `PERSISTENT_2` is available, see [Deployment and storage class options for FSx for Lustre file systems](https://docs.aws.amazon.com/fsx/latest/LustreGuide/using-fsx-lustre.html) in the *Amazon FSx for Lustre User Guide* .\n\n> If you choose `PERSISTENT_2` , and you set `FileSystemTypeVersion` to `2.10` , the `CreateFileSystem` operation fails. \n\nEncryption of data in transit is automatically turned on when you access `SCRATCH_2` , `PERSISTENT_1` , and `PERSISTENT_2` file systems from Amazon EC2 instances that support automatic encryption in the AWS Regions where they are available. For more information about encryption in transit for FSx for Lustre file systems, see [Encrypting data in transit](https://docs.aws.amazon.com/fsx/latest/LustreGuide/encryption-in-transit-fsxl.html) in the *Amazon FSx for Lustre User Guide* .\n\n(Default = `SCRATCH_1` )", "title": "DeploymentType", "type": "string" }, @@ -100183,7 +100161,7 @@ "type": "array" }, "ThroughputCapacity": { - "markdownDescription": "Specifies the throughput of an Amazon FSx for OpenZFS file system, measured in megabytes per second (MBps). Valid values depend on the `DeploymentType` and `StorageType` that you choose, as follows:\n\n- For `INTELIGENT_TIERING` , valid values are 1280, 2560, 3840, 5120, 7680, or 10240 MBps.\n- For `MULTI_AZ_1` and `SINGLE_AZ_2` , valid values are 160, 320, 640, 1280, 2560, 3840, 5120, 7680, or 10240 MBps.\n- For `SINGLE_AZ_1` , valid values are 64, 128, 256, 512, 1024, 2048, 3072, or 4096 MBps.\n\nYou pay for additional throughput capacity that you provision.", + "markdownDescription": "Specifies the throughput of an Amazon FSx for OpenZFS file system, measured in megabytes per second (MBps). Valid values depend on the `DeploymentType` that you choose, as follows:\n\n- For `MULTI_AZ_1` and `SINGLE_AZ_2` , valid values are 160, 320, 640, 1280, 2560, 3840, 5120, 7680, or 10240 MBps.\n- For `SINGLE_AZ_1` , valid values are 64, 128, 256, 512, 1024, 2048, 3072, or 4096 MBps.\n\nYou pay for additional throughput capacity that you provision.", "title": "ThroughputCapacity", "type": "number" }, @@ -103231,8 +103209,6 @@ "type": "string" }, "DesiredEC2Instances": { - "markdownDescription": "The number of EC2 instances that you want this fleet to host. When creating a new fleet, GameLift automatically sets this value to \"1\" and initiates a single instance. Once the fleet is active, update this value to trigger GameLift to add or remove instances from the fleet.", - "title": "DesiredEC2Instances", "type": "number" }, "EC2InboundPermissions": { @@ -103272,8 +103248,6 @@ "type": "array" }, "MaxSize": { - "markdownDescription": "The maximum number of instances that are allowed in the specified fleet location. If this parameter is not set, the default is 1.", - "title": "MaxSize", "type": "number" }, "MetricGroups": { @@ -103285,8 +103259,6 @@ "type": "array" }, "MinSize": { - "markdownDescription": "The minimum number of instances that are allowed in the specified fleet location. If this parameter is not set, the default is 0.", - "title": "MinSize", "type": "number" }, "Name": { @@ -108222,7 +108194,7 @@ "title": "TableOptimizerConfiguration" }, "Type": { - "markdownDescription": "The type of table optimizer. Currently, the only valid value is compaction.", + "markdownDescription": "The type of table optimizer. The valid values are:\n\n- compaction - for managing compaction with a table optimizer.\n- retention - for managing the retention of snapshot with a table optimizer.\n- orphan_file_deletion - for managing the deletion of orphan files with a table optimizer.", "title": "Type", "type": "string" } @@ -116902,7 +116874,7 @@ "type": "string" }, "ParentImage": { - "markdownDescription": "The base image for the container recipe.", + "markdownDescription": "The base image for customizations specified in the container recipe. This can contain an Image Builder image resource ARN or a container image URI, for example `amazonlinux:latest` .", "title": "ParentImage", "type": "string" }, @@ -117095,7 +117067,7 @@ "type": "array" }, "Image": { - "markdownDescription": "The AMI ID to use as the base image for a container build and test instance. If not specified, Image Builder will use the appropriate ECS-optimized AMI as a base image.", + "markdownDescription": "The base image for a container build and test instance. This can contain an AMI ID or it can specify an AWS Systems Manager (SSM) Parameter Store Parameter, prefixed by `ssm:` , followed by the parameter name or ARN.\n\nIf not specified, Image Builder uses the appropriate ECS-optimized AMI as a base image.", "title": "Image", "type": "string" } @@ -117994,7 +117966,7 @@ "items": { "$ref": "#/definitions/AWS::ImageBuilder::ImageRecipe.ComponentConfiguration" }, - "markdownDescription": "The components of the image recipe. Components are orchestration documents that define a sequence of steps for downloading, installing, configuring, and testing software packages. They also define validation and security hardening steps. A component is defined using a YAML document format.", + "markdownDescription": "The components that are included in the image recipe. Recipes require a minimum of one build component, and can have a maximum of 20 build and test components in any combination.", "title": "Components", "type": "array" }, @@ -118009,7 +117981,7 @@ "type": "string" }, "ParentImage": { - "markdownDescription": "The parent image of the image recipe. The string must be either an Image ARN or an AMI ID.", + "markdownDescription": "The base image for customizations specified in the image recipe. You can specify the parent image using one of the following options:\n\n- AMI ID\n- Image Builder image Amazon Resource Name (ARN)\n- AWS Systems Manager (SSM) Parameter Store Parameter, prefixed by `ssm:` , followed by the parameter name or ARN.\n- AWS Marketplace product ID", "title": "ParentImage", "type": "string" }, @@ -118025,7 +117997,7 @@ "type": "object" }, "Version": { - "markdownDescription": "The semantic version of the image recipe.", + "markdownDescription": "The version of the image recipe.", "title": "Version", "type": "string" }, @@ -120011,13 +119983,9 @@ "additionalProperties": false, "properties": { "DeviceId": { - "markdownDescription": "The ID of the device, such as `G030PX0312744DWM` .", - "title": "DeviceId", "type": "string" }, "Enabled": { - "markdownDescription": "A Boolean value indicating whether the device is enabled ( `true` ) or not ( `false` ).", - "title": "Enabled", "type": "boolean" } }, @@ -120084,23 +120052,15 @@ "additionalProperties": false, "properties": { "AssociatedDevices": { - "markdownDescription": "The devices to associate with the placement, as defined by a mapping of zero or more key-value pairs wherein the key is a template name and the value is a device ID.", - "title": "AssociatedDevices", "type": "object" }, "Attributes": { - "markdownDescription": "The user-defined attributes associated with the placement.", - "title": "Attributes", "type": "object" }, "PlacementName": { - "markdownDescription": "The name of the placement.", - "title": "PlacementName", "type": "string" }, "ProjectName": { - "markdownDescription": "The name of the project containing the placement.", - "title": "ProjectName", "type": "string" } }, @@ -120166,18 +120126,12 @@ "additionalProperties": false, "properties": { "Description": { - "markdownDescription": "The description of the project.", - "title": "Description", "type": "string" }, "PlacementTemplate": { - "$ref": "#/definitions/AWS::IoT1Click::Project.PlacementTemplate", - "markdownDescription": "An object describing the project's placement specifications.", - "title": "PlacementTemplate" + "$ref": "#/definitions/AWS::IoT1Click::Project.PlacementTemplate" }, "ProjectName": { - "markdownDescription": "The name of the project from which to obtain information.", - "title": "ProjectName", "type": "string" } }, @@ -120223,13 +120177,9 @@ "additionalProperties": false, "properties": { "DefaultAttributes": { - "markdownDescription": "The default attributes (key-value pairs) to be applied to all placements using this template.", - "title": "DefaultAttributes", "type": "object" }, "DeviceTemplates": { - "markdownDescription": "An object specifying the [DeviceTemplate](https://docs.aws.amazon.com/iot-1-click/latest/projects-apireference/API_DeviceTemplate.html) for all placements using this ( [PlacementTemplate](https://docs.aws.amazon.com/iot-1-click/latest/projects-apireference/API_PlacementTemplate.html) ) template.", - "title": "DeviceTemplates", "type": "object" } }, @@ -137742,7 +137692,7 @@ }, "ApplicationMaintenanceConfiguration": { "$ref": "#/definitions/AWS::KinesisAnalyticsV2::Application.ApplicationMaintenanceConfiguration", - "markdownDescription": "", + "markdownDescription": "Specifies the maintenance window parameters for a Kinesis Data Analytics application.", "title": "ApplicationMaintenanceConfiguration" }, "ApplicationMode": { @@ -137874,7 +137824,7 @@ "additionalProperties": false, "properties": { "ApplicationMaintenanceWindowStartTime": { - "markdownDescription": "Specifies the start time of the maintence window.", + "markdownDescription": "", "title": "ApplicationMaintenanceWindowStartTime", "type": "string" } @@ -142661,6 +142611,11 @@ "markdownDescription": "The identifier for the Kafka consumer group to join. The consumer group ID must be unique among all your Kafka event sources. After creating a Kafka event source mapping with the consumer group ID specified, you cannot update this value. For more information, see [Customizable consumer group ID](https://docs.aws.amazon.com/lambda/latest/dg/with-msk.html#services-msk-consumer-group-id) .", "title": "ConsumerGroupId", "type": "string" + }, + "SchemaRegistryConfig": { + "$ref": "#/definitions/AWS::Lambda::EventSourceMapping.SchemaRegistryConfig", + "markdownDescription": "Specific configuration settings for a Kafka schema registry.", + "title": "SchemaRegistryConfig" } }, "type": "object" @@ -142758,6 +142713,65 @@ }, "type": "object" }, + "AWS::Lambda::EventSourceMapping.SchemaRegistryAccessConfig": { + "additionalProperties": false, + "properties": { + "Type": { + "markdownDescription": "The type of authentication Lambda uses to access your schema registry.", + "title": "Type", + "type": "string" + }, + "URI": { + "markdownDescription": "The URI of the secret (Secrets Manager secret ARN) to authenticate with your schema registry.", + "title": "URI", + "type": "string" + } + }, + "type": "object" + }, + "AWS::Lambda::EventSourceMapping.SchemaRegistryConfig": { + "additionalProperties": false, + "properties": { + "AccessConfigs": { + "items": { + "$ref": "#/definitions/AWS::Lambda::EventSourceMapping.SchemaRegistryAccessConfig" + }, + "markdownDescription": "An array of access configuration objects that tell Lambda how to authenticate with your schema registry.", + "title": "AccessConfigs", + "type": "array" + }, + "EventRecordFormat": { + "markdownDescription": "The record format that Lambda delivers to your function after schema validation.", + "title": "EventRecordFormat", + "type": "string" + }, + "SchemaRegistryURI": { + "markdownDescription": "The URI for your schema registry. The correct URI format depends on the type of schema registry you're using.", + "title": "SchemaRegistryURI", + "type": "string" + }, + "SchemaValidationConfigs": { + "items": { + "$ref": "#/definitions/AWS::Lambda::EventSourceMapping.SchemaValidationConfig" + }, + "markdownDescription": "An array of schema validation configuration objects, which tell Lambda the message attributes you want to validate and filter using your schema registry.", + "title": "SchemaValidationConfigs", + "type": "array" + } + }, + "type": "object" + }, + "AWS::Lambda::EventSourceMapping.SchemaValidationConfig": { + "additionalProperties": false, + "properties": { + "Attribute": { + "markdownDescription": "The attribute you want your schema registry to validate and filter for.", + "title": "Attribute", + "type": "string" + } + }, + "type": "object" + }, "AWS::Lambda::EventSourceMapping.SelfManagedEventSource": { "additionalProperties": false, "properties": { @@ -142773,9 +142787,14 @@ "additionalProperties": false, "properties": { "ConsumerGroupId": { - "markdownDescription": "The identifier for the Kafka consumer group to join. The consumer group ID must be unique among all your Kafka event sources. After creating a Kafka event source mapping with the consumer group ID specified, you cannot update this value. For more information, see [Customizable consumer group ID](https://docs.aws.amazon.com/lambda/latest/dg/with-msk.html#services-msk-consumer-group-id) .", + "markdownDescription": "The identifier for the Kafka consumer group to join. The consumer group ID must be unique among all your Kafka event sources. After creating a Kafka event source mapping with the consumer group ID specified, you cannot update this value. For more information, see [Customizable consumer group ID](https://docs.aws.amazon.com/lambda/latest/dg/with-kafka-process.html#services-smaa-topic-add) .", "title": "ConsumerGroupId", "type": "string" + }, + "SchemaRegistryConfig": { + "$ref": "#/definitions/AWS::Lambda::EventSourceMapping.SchemaRegistryConfig", + "markdownDescription": "Specific configuration settings for a Kafka schema registry.", + "title": "SchemaRegistryConfig" } }, "type": "object" @@ -143788,12 +143807,12 @@ "additionalProperties": false, "properties": { "RuntimeVersionArn": { - "markdownDescription": "", + "markdownDescription": "The ARN of the runtime version you want the function to use.\n\n> This is only required if you're using the *Manual* runtime update mode.", "title": "RuntimeVersionArn", "type": "string" }, "UpdateRuntimeOn": { - "markdownDescription": "", + "markdownDescription": "Specify the runtime update mode.\n\n- *Auto (default)* - Automatically update to the most recent and secure runtime version using a [Two-phase runtime version rollout](https://docs.aws.amazon.com/lambda/latest/dg/runtimes-update.html#runtime-management-two-phase) . This is the best choice for most customers to ensure they always benefit from runtime updates.\n- *FunctionUpdate* - Lambda updates the runtime of you function to the most recent and secure runtime version when you update your function. This approach synchronizes runtime updates with function deployments, giving you control over when runtime updates are applied and allowing you to detect and mitigate rare runtime update incompatibilities early. When using this setting, you need to regularly update your functions to keep their runtime up-to-date.\n- *Manual* - You specify a runtime version in your function configuration. The function will use this runtime version indefinitely. In the rare case where a new runtime version is incompatible with an existing function, this allows you to roll back your function to an earlier runtime version. For more information, see [Roll back a runtime version](https://docs.aws.amazon.com/lambda/latest/dg/runtimes-update.html#runtime-management-rollback) .\n\n*Valid Values* : `Auto` | `FunctionUpdate` | `Manual`", "title": "UpdateRuntimeOn", "type": "string" } @@ -152665,7 +152684,7 @@ "type": "string" }, "ServerProperties": { - "markdownDescription": "Contents of the `server.properties` file. When using this property, you must ensure that the contents of the file are base64 encoded. When using the console, the SDK, or the AWS CLI , the contents of `server.properties` can be in plaintext.", + "markdownDescription": "Contents of the `server.properties` file. When using the console, the SDK, or the AWS CLI , the contents of `server.properties` can be in plaintext.", "title": "ServerProperties", "type": "string" } @@ -156465,7 +156484,7 @@ "title": "Maintenance" }, "Name": { - "markdownDescription": "A name for this audio selector. The AudioDescription (in an output) references this name in order to identify a specific input audio to include in that output.", + "markdownDescription": "Name of channel.", "title": "Name", "type": "string" }, @@ -163677,7 +163696,7 @@ "items": { "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.HlsManifestConfiguration" }, - "markdownDescription": "The HLS manfiests associated with the origin endpoint configuration.", + "markdownDescription": "The HLS manifests associated with the origin endpoint configuration.", "title": "HlsManifests", "type": "array" }, @@ -163891,7 +163910,7 @@ "title": "FilterConfiguration" }, "ManifestName": { - "markdownDescription": "A short short string that's appended to the endpoint URL. The manifest name creates a unique path to this endpoint. If you don't enter a value, MediaPackage uses the default manifest name, `index` . MediaPackage automatically inserts the format extension, such as `.m3u8` . You can't use the same manifest name if you use HLS manifest and low-latency HLS manifest. The `manifestName` on the `HLSManifest` object overrides the `manifestName` you provided on the `originEndpoint` object.", + "markdownDescription": "A short string that's appended to the endpoint URL. The manifest name creates a unique path to this endpoint. If you don't enter a value, MediaPackage uses the default manifest name, `index` . MediaPackage automatically inserts the format extension, such as `.m3u8` . You can't use the same manifest name if you use HLS manifest and low-latency HLS manifest. The `manifestName` on the `HLSManifest` object overrides the `manifestName` you provided on the `originEndpoint` object.", "title": "ManifestName", "type": "string" }, @@ -166769,7 +166788,7 @@ "items": { "$ref": "#/definitions/AWS::NetworkFirewall::Firewall.SubnetMapping" }, - "markdownDescription": "The public subnets that Network Firewall is using for the firewall. Each subnet must belong to a different Availability Zone.", + "markdownDescription": "The primary public subnets that Network Firewall is using for the firewall. Network Firewall creates a firewall endpoint in each subnet. Create a subnet mapping for each Availability Zone where you want to use the firewall.\n\nThese subnets are all defined for a single, primary VPC, and each must belong to a different Availability Zone. Each of these subnets establishes the availability of the firewall in its Availability Zone.\n\nIn addition to these subnets, you can define other endpoints for the firewall in `VpcEndpointAssociation` resources. You can define these additional endpoints for any VPC, and for any of the Availability Zones where the firewall resource already has a subnet mapping. VPC endpoint associations give you the ability to protect multiple VPCs using a single firewall, and to define multiple firewall endpoints for a VPC in a single Availability Zone.", "title": "SubnetMappings", "type": "array" }, @@ -169761,58 +169780,42 @@ "additionalProperties": false, "properties": { "Description": { - "markdownDescription": "A human-readable description of the launch profile.", - "title": "Description", "type": "string" }, "Ec2SubnetIds": { "items": { "type": "string" }, - "markdownDescription": "Unique identifiers for a collection of EC2 subnets.", - "title": "Ec2SubnetIds", "type": "array" }, "LaunchProfileProtocolVersions": { "items": { "type": "string" }, - "markdownDescription": "The version number of the protocol that is used by the launch profile. The only valid version is \"2021-03-31\".", - "title": "LaunchProfileProtocolVersions", "type": "array" }, "Name": { - "markdownDescription": "A friendly name for the launch profile.", - "title": "Name", "type": "string" }, "StreamConfiguration": { - "$ref": "#/definitions/AWS::NimbleStudio::LaunchProfile.StreamConfiguration", - "markdownDescription": "A configuration for a streaming session.", - "title": "StreamConfiguration" + "$ref": "#/definitions/AWS::NimbleStudio::LaunchProfile.StreamConfiguration" }, "StudioComponentIds": { "items": { "type": "string" }, - "markdownDescription": "Unique identifiers for a collection of studio components that can be used with this launch profile.", - "title": "StudioComponentIds", "type": "array" }, "StudioId": { - "markdownDescription": "The unique identifier for a studio resource. In Nimble Studio, all other resources are contained in a studio resource.", - "title": "StudioId", "type": "string" }, "Tags": { "additionalProperties": true, - "markdownDescription": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" } }, - "title": "Tags", "type": "object" } }, @@ -169851,60 +169854,40 @@ "additionalProperties": false, "properties": { "AutomaticTerminationMode": { - "markdownDescription": "Indicates if a streaming session created from this launch profile should be terminated automatically or retained without termination after being in a `STOPPED` state.\n\n- When `ACTIVATED` , the streaming session is scheduled for termination after being in the `STOPPED` state for the time specified in `maxStoppedSessionLengthInMinutes` .\n- When `DEACTIVATED` , the streaming session can remain in the `STOPPED` state indefinitely.\n\nThis parameter is only allowed when `sessionPersistenceMode` is `ACTIVATED` . When allowed, the default value for this parameter is `DEACTIVATED` .", - "title": "AutomaticTerminationMode", "type": "string" }, "ClipboardMode": { - "markdownDescription": "Allows or deactivates the use of the system clipboard to copy and paste between the streaming session and streaming client.", - "title": "ClipboardMode", "type": "string" }, "Ec2InstanceTypes": { "items": { "type": "string" }, - "markdownDescription": "The EC2 instance types that users can select from when launching a streaming session with this launch profile.", - "title": "Ec2InstanceTypes", "type": "array" }, "MaxSessionLengthInMinutes": { - "markdownDescription": "The length of time, in minutes, that a streaming session can be active before it is stopped or terminated. After this point, Nimble Studio automatically terminates or stops the session. The default length of time is 690 minutes, and the maximum length of time is 30 days.", - "title": "MaxSessionLengthInMinutes", "type": "number" }, "MaxStoppedSessionLengthInMinutes": { - "markdownDescription": "Integer that determines if you can start and stop your sessions and how long a session can stay in the `STOPPED` state. The default value is 0. The maximum value is 5760.\n\nThis field is allowed only when `sessionPersistenceMode` is `ACTIVATED` and `automaticTerminationMode` is `ACTIVATED` .\n\nIf the value is set to 0, your sessions can\u2019t be `STOPPED` . If you then call `StopStreamingSession` , the session fails. If the time that a session stays in the `READY` state exceeds the `maxSessionLengthInMinutes` value, the session will automatically be terminated (instead of `STOPPED` ).\n\nIf the value is set to a positive number, the session can be stopped. You can call `StopStreamingSession` to stop sessions in the `READY` state. If the time that a session stays in the `READY` state exceeds the `maxSessionLengthInMinutes` value, the session will automatically be stopped (instead of terminated).", - "title": "MaxStoppedSessionLengthInMinutes", "type": "number" }, "SessionBackup": { - "$ref": "#/definitions/AWS::NimbleStudio::LaunchProfile.StreamConfigurationSessionBackup", - "markdownDescription": "Information about the streaming session backup.", - "title": "SessionBackup" + "$ref": "#/definitions/AWS::NimbleStudio::LaunchProfile.StreamConfigurationSessionBackup" }, "SessionPersistenceMode": { - "markdownDescription": "Determine if a streaming session created from this launch profile can configure persistent storage. This means that `volumeConfiguration` and `automaticTerminationMode` are configured.", - "title": "SessionPersistenceMode", "type": "string" }, "SessionStorage": { - "$ref": "#/definitions/AWS::NimbleStudio::LaunchProfile.StreamConfigurationSessionStorage", - "markdownDescription": "The upload storage for a streaming session.", - "title": "SessionStorage" + "$ref": "#/definitions/AWS::NimbleStudio::LaunchProfile.StreamConfigurationSessionStorage" }, "StreamingImageIds": { "items": { "type": "string" }, - "markdownDescription": "The streaming images that users can select from when launching a streaming session with this launch profile.", - "title": "StreamingImageIds", "type": "array" }, "VolumeConfiguration": { - "$ref": "#/definitions/AWS::NimbleStudio::LaunchProfile.VolumeConfiguration", - "markdownDescription": "Custom volume configuration for the root volumes that are attached to streaming sessions.\n\nThis parameter is only allowed when `sessionPersistenceMode` is `ACTIVATED` .", - "title": "VolumeConfiguration" + "$ref": "#/definitions/AWS::NimbleStudio::LaunchProfile.VolumeConfiguration" } }, "required": [ @@ -169918,13 +169901,9 @@ "additionalProperties": false, "properties": { "MaxBackupsToRetain": { - "markdownDescription": "The maximum number of backups that each streaming session created from this launch profile can have.", - "title": "MaxBackupsToRetain", "type": "number" }, "Mode": { - "markdownDescription": "Specifies how artists sessions are backed up.\n\nConfigures backups for streaming sessions launched with this launch profile. The default value is `DEACTIVATED` , which means that backups are deactivated. To allow backups, set this value to `AUTOMATIC` .", - "title": "Mode", "type": "string" } }, @@ -169937,14 +169916,10 @@ "items": { "type": "string" }, - "markdownDescription": "Allows artists to upload files to their workstations. The only valid option is `UPLOAD` .", - "title": "Mode", "type": "array" }, "Root": { - "$ref": "#/definitions/AWS::NimbleStudio::LaunchProfile.StreamingSessionStorageRoot", - "markdownDescription": "The configuration for the upload storage root of the streaming session.", - "title": "Root" + "$ref": "#/definitions/AWS::NimbleStudio::LaunchProfile.StreamingSessionStorageRoot" } }, "required": [ @@ -169956,13 +169931,9 @@ "additionalProperties": false, "properties": { "Linux": { - "markdownDescription": "The folder path in Linux workstations where files are uploaded.", - "title": "Linux", "type": "string" }, "Windows": { - "markdownDescription": "The folder path in Windows workstations where files are uploaded.", - "title": "Windows", "type": "string" } }, @@ -169972,18 +169943,12 @@ "additionalProperties": false, "properties": { "Iops": { - "markdownDescription": "The number of I/O operations per second for the root volume that is attached to streaming session.", - "title": "Iops", "type": "number" }, "Size": { - "markdownDescription": "The size of the root volume that is attached to the streaming session. The root volume size is measured in GiBs.", - "title": "Size", "type": "number" }, "Throughput": { - "markdownDescription": "The throughput to provision for the root volume that is attached to the streaming session. The throughput is measured in MiB/s.", - "title": "Throughput", "type": "number" } }, @@ -170025,34 +169990,24 @@ "additionalProperties": false, "properties": { "Description": { - "markdownDescription": "A human-readable description of the streaming image.", - "title": "Description", "type": "string" }, "Ec2ImageId": { - "markdownDescription": "The ID of an EC2 machine image with which to create the streaming image.", - "title": "Ec2ImageId", "type": "string" }, "Name": { - "markdownDescription": "A friendly name for a streaming image resource.", - "title": "Name", "type": "string" }, "StudioId": { - "markdownDescription": "The unique identifier for a studio resource. In Nimble Studio, all other resources are contained in a studio resource.", - "title": "StudioId", "type": "string" }, "Tags": { "additionalProperties": true, - "markdownDescription": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" } }, - "title": "Tags", "type": "object" } }, @@ -170088,13 +170043,9 @@ "additionalProperties": false, "properties": { "KeyArn": { - "markdownDescription": "The ARN for a KMS key that is used to encrypt studio data.", - "title": "KeyArn", "type": "string" }, "KeyType": { - "markdownDescription": "The type of KMS key that is used to encrypt studio data.", - "title": "KeyType", "type": "string" } }, @@ -170139,39 +170090,27 @@ "additionalProperties": false, "properties": { "AdminRoleArn": { - "markdownDescription": "The IAM role that studio admins assume when logging in to the Nimble Studio portal.", - "title": "AdminRoleArn", "type": "string" }, "DisplayName": { - "markdownDescription": "A friendly name for the studio.", - "title": "DisplayName", "type": "string" }, "StudioEncryptionConfiguration": { - "$ref": "#/definitions/AWS::NimbleStudio::Studio.StudioEncryptionConfiguration", - "markdownDescription": "Configuration of the encryption method that is used for the studio.", - "title": "StudioEncryptionConfiguration" + "$ref": "#/definitions/AWS::NimbleStudio::Studio.StudioEncryptionConfiguration" }, "StudioName": { - "markdownDescription": "The name of the studio, as included in the URL when accessing it in the Nimble Studio portal.", - "title": "StudioName", "type": "string" }, "Tags": { "additionalProperties": true, - "markdownDescription": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" } }, - "title": "Tags", "type": "object" }, "UserRoleArn": { - "markdownDescription": "The IAM role that studio users assume when logging in to the Nimble Studio portal.", - "title": "UserRoleArn", "type": "string" } }, @@ -170208,13 +170147,9 @@ "additionalProperties": false, "properties": { "KeyArn": { - "markdownDescription": "The ARN for a KMS key that is used to encrypt studio data.", - "title": "KeyArn", "type": "string" }, "KeyType": { - "markdownDescription": "The type of KMS key that is used to encrypt studio data.", - "title": "KeyType", "type": "string" } }, @@ -170259,68 +170194,48 @@ "additionalProperties": false, "properties": { "Configuration": { - "$ref": "#/definitions/AWS::NimbleStudio::StudioComponent.StudioComponentConfiguration", - "markdownDescription": "The configuration of the studio component, based on component type.", - "title": "Configuration" + "$ref": "#/definitions/AWS::NimbleStudio::StudioComponent.StudioComponentConfiguration" }, "Description": { - "markdownDescription": "A human-readable description for the studio component resource.", - "title": "Description", "type": "string" }, "Ec2SecurityGroupIds": { "items": { "type": "string" }, - "markdownDescription": "The EC2 security groups that control access to the studio component.", - "title": "Ec2SecurityGroupIds", "type": "array" }, "InitializationScripts": { "items": { "$ref": "#/definitions/AWS::NimbleStudio::StudioComponent.StudioComponentInitializationScript" }, - "markdownDescription": "Initialization scripts for studio components.", - "title": "InitializationScripts", "type": "array" }, "Name": { - "markdownDescription": "A friendly name for the studio component resource.", - "title": "Name", "type": "string" }, "ScriptParameters": { "items": { "$ref": "#/definitions/AWS::NimbleStudio::StudioComponent.ScriptParameterKeyValue" }, - "markdownDescription": "Parameters for the studio component scripts.", - "title": "ScriptParameters", "type": "array" }, "StudioId": { - "markdownDescription": "The unique identifier for a studio resource. In Nimble Studio, all other resources are contained in a studio resource.", - "title": "StudioId", "type": "string" }, "Subtype": { - "markdownDescription": "The specific subtype of a studio component.", - "title": "Subtype", "type": "string" }, "Tags": { "additionalProperties": true, - "markdownDescription": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" } }, - "title": "Tags", "type": "object" }, "Type": { - "markdownDescription": "The type of the studio component.", - "title": "Type", "type": "string" } }, @@ -170356,13 +170271,9 @@ "additionalProperties": false, "properties": { "Name": { - "markdownDescription": "The name for the LDAP attribute.", - "title": "Name", "type": "string" }, "Value": { - "markdownDescription": "The value for the LDAP attribute.", - "title": "Value", "type": "string" } }, @@ -170375,18 +170286,12 @@ "items": { "$ref": "#/definitions/AWS::NimbleStudio::StudioComponent.ActiveDirectoryComputerAttribute" }, - "markdownDescription": "A collection of custom attributes for an Active Directory computer.", - "title": "ComputerAttributes", "type": "array" }, "DirectoryId": { - "markdownDescription": "The directory ID of the AWS Directory Service for Microsoft Active Directory to access using this studio component.", - "title": "DirectoryId", "type": "string" }, "OrganizationalUnitDistinguishedName": { - "markdownDescription": "The distinguished name (DN) and organizational unit (OU) of an Active Directory computer.", - "title": "OrganizationalUnitDistinguishedName", "type": "string" } }, @@ -170396,13 +170301,9 @@ "additionalProperties": false, "properties": { "ActiveDirectoryUser": { - "markdownDescription": "The name of an Active Directory user that is used on ComputeFarm worker instances.", - "title": "ActiveDirectoryUser", "type": "string" }, "Endpoint": { - "markdownDescription": "The endpoint of the ComputeFarm that is accessed by the studio component resource.", - "title": "Endpoint", "type": "string" } }, @@ -170412,8 +170313,6 @@ "additionalProperties": false, "properties": { "Endpoint": { - "markdownDescription": "The endpoint of the license service that is accessed by the studio component resource.", - "title": "Endpoint", "type": "string" } }, @@ -170423,13 +170322,9 @@ "additionalProperties": false, "properties": { "Key": { - "markdownDescription": "A script parameter key.", - "title": "Key", "type": "string" }, "Value": { - "markdownDescription": "A script parameter value.", - "title": "Value", "type": "string" } }, @@ -170439,28 +170334,18 @@ "additionalProperties": false, "properties": { "Endpoint": { - "markdownDescription": "The endpoint of the shared file system that is accessed by the studio component resource.", - "title": "Endpoint", "type": "string" }, "FileSystemId": { - "markdownDescription": "The unique identifier for a file system.", - "title": "FileSystemId", "type": "string" }, "LinuxMountPoint": { - "markdownDescription": "The mount location for a shared file system on a Linux virtual workstation.", - "title": "LinuxMountPoint", "type": "string" }, "ShareName": { - "markdownDescription": "The name of the file share.", - "title": "ShareName", "type": "string" }, "WindowsMountDrive": { - "markdownDescription": "The mount location for a shared file system on a Windows virtual workstation.", - "title": "WindowsMountDrive", "type": "string" } }, @@ -170470,24 +170355,16 @@ "additionalProperties": false, "properties": { "ActiveDirectoryConfiguration": { - "$ref": "#/definitions/AWS::NimbleStudio::StudioComponent.ActiveDirectoryConfiguration", - "markdownDescription": "The configuration for a AWS Directory Service for Microsoft Active Directory studio resource.", - "title": "ActiveDirectoryConfiguration" + "$ref": "#/definitions/AWS::NimbleStudio::StudioComponent.ActiveDirectoryConfiguration" }, "ComputeFarmConfiguration": { - "$ref": "#/definitions/AWS::NimbleStudio::StudioComponent.ComputeFarmConfiguration", - "markdownDescription": "The configuration for a render farm that is associated with a studio resource.", - "title": "ComputeFarmConfiguration" + "$ref": "#/definitions/AWS::NimbleStudio::StudioComponent.ComputeFarmConfiguration" }, "LicenseServiceConfiguration": { - "$ref": "#/definitions/AWS::NimbleStudio::StudioComponent.LicenseServiceConfiguration", - "markdownDescription": "The configuration for a license service that is associated with a studio resource.", - "title": "LicenseServiceConfiguration" + "$ref": "#/definitions/AWS::NimbleStudio::StudioComponent.LicenseServiceConfiguration" }, "SharedFileSystemConfiguration": { - "$ref": "#/definitions/AWS::NimbleStudio::StudioComponent.SharedFileSystemConfiguration", - "markdownDescription": "The configuration for a shared file storage system that is associated with a studio resource.", - "title": "SharedFileSystemConfiguration" + "$ref": "#/definitions/AWS::NimbleStudio::StudioComponent.SharedFileSystemConfiguration" } }, "type": "object" @@ -170496,23 +170373,15 @@ "additionalProperties": false, "properties": { "LaunchProfileProtocolVersion": { - "markdownDescription": "The version number of the protocol that is used by the launch profile. The only valid version is \"2021-03-31\".", - "title": "LaunchProfileProtocolVersion", "type": "string" }, "Platform": { - "markdownDescription": "The platform of the initialization script, either Windows or Linux.", - "title": "Platform", "type": "string" }, "RunContext": { - "markdownDescription": "The method to use when running the initialization script.", - "title": "RunContext", "type": "string" }, "Script": { - "markdownDescription": "The initialization script.", - "title": "Script", "type": "string" } }, @@ -170771,7 +170640,7 @@ "additionalProperties": false, "properties": { "LabelTemplate": { - "markdownDescription": "Specify a friendly human-readable name to use to identify this source account when you are viewing data from it in the monitoring account.\n\nYou can include the following variables in your template:\n\n- `$AccountName` is the name of the account\n- `$AccountEmail` is a globally-unique email address, which includes the email domain, such as `mariagarcia@example.com`\n- `$AccountEmailNoDomain` is an email address without the domain name, such as `mariagarcia`", + "markdownDescription": "Specify a friendly human-readable name to use to identify this source account when you are viewing data from it in the monitoring account.\n\nYou can include the following variables in your template:\n\n- `$AccountName` is the name of the account\n- `$AccountEmail` is a globally-unique email address, which includes the email domain, such as `mariagarcia@example.com`\n- `$AccountEmailNoDomain` is an email address without the domain name, such as `mariagarcia`\n\n> In the and Regions, the only supported option is to use custom labels, and the `$AccountName` , `$AccountEmail` , and `$AccountEmailNoDomain` variables all resolve as *account-id* instead of the specified variable.", "title": "LabelTemplate", "type": "string" }, @@ -170784,7 +170653,7 @@ "items": { "type": "string" }, - "markdownDescription": "An array of strings that define which types of data that the source account shares with the monitoring account. Valid values are `AWS::CloudWatch::Metric | AWS::Logs::LogGroup | AWS::XRay::Trace | AWS::ApplicationInsights::Application | AWS::InternetMonitor::Monitor | AWS::ApplicationSignals::Service | AWS::ApplicationSignals::ServiceLevelObjective` .", + "markdownDescription": "An array of strings that define which types of data that the source account shares with the monitoring account. Valid values are `AWS::CloudWatch::Metric | AWS::Logs::LogGroup | AWS::XRay::Trace | AWS::ApplicationInsights::Application | AWS::InternetMonitor::Monitor` .", "title": "ResourceTypes", "type": "array" }, @@ -170837,7 +170706,7 @@ "properties": { "LogGroupConfiguration": { "$ref": "#/definitions/AWS::Oam::Link.LinkFilter", - "markdownDescription": "Use this structure to filter which log groups are to send log events from the source account to the monitoring account.", + "markdownDescription": "Use this structure to filter which log groups are to share log events from this source account to the monitoring account.", "title": "LogGroupConfiguration" }, "MetricConfiguration": { @@ -170852,7 +170721,7 @@ "additionalProperties": false, "properties": { "Filter": { - "markdownDescription": "", + "markdownDescription": "When used in `MetricConfiguration` this field specifies which metric namespaces are to be shared with the monitoring account\n\nWhen used in `LogGroupConfiguration` this field specifies which log groups are to share their log events with the monitoring account. Use the term `LogGroupName` and one or more of the following operands.\n\nUse single quotation marks (') around log group names and metric namespaces.\n\nThe matching of log group names and metric namespaces is case sensitive. Each filter has a limit of five conditional operands. Conditional operands are `AND` and `OR` .\n\n- `=` and `!=`\n- `AND`\n- `OR`\n- `LIKE` and `NOT LIKE` . These can be used only as prefix searches. Include a `%` at the end of the string that you want to search for and include.\n- `IN` and `NOT IN` , using parentheses `( )`\n\nExamples:\n\n- `Namespace NOT LIKE 'AWS/%'` includes only namespaces that don't start with `AWS/` , such as custom namespaces.\n- `Namespace IN ('AWS/EC2', 'AWS/ELB', 'AWS/S3')` includes only the metrics in the EC2, Elastic Load Balancing , and Amazon S3 namespaces.\n- `Namespace = 'AWS/EC2' OR Namespace NOT LIKE 'AWS/%'` includes only the EC2 namespace and your custom namespaces.\n- `LogGroupName IN ('This-Log-Group', 'Other-Log-Group')` includes only the log groups with names `This-Log-Group` and `Other-Log-Group` .\n- `LogGroupName NOT IN ('Private-Log-Group', 'Private-Log-Group-2')` includes all log groups except the log groups with names `Private-Log-Group` and `Private-Log-Group-2` .\n- `LogGroupName LIKE 'aws/lambda/%' OR LogGroupName LIKE 'AWSLogs%'` includes all log groups that have names that start with `aws/lambda/` or `AWSLogs` .\n\n> If you are updating a link that uses filters, you can specify `*` as the only value for the `filter` parameter to delete the filter and share all log groups with the monitoring account.", "title": "Filter", "type": "string" } @@ -192382,7 +192251,7 @@ "type": "array" }, "Principal": { - "markdownDescription": "The Amazon Resource Name (ARN) of the principal. This can be one of the following:\n\n- The ARN of an Amazon QuickSight user or group associated with a data source or dataset. (This is common.)\n- The ARN of an Amazon QuickSight user, group, or namespace associated with an analysis, dashboard, template, or theme. (This is common.)\n- The ARN of an AWS account root: This is an IAM ARN rather than a Amazon QuickSight ARN. Use this option only to share resources (templates) across AWS accounts . (This is less common.)", + "markdownDescription": "The Amazon Resource Name (ARN) of the principal. This can be one of the following:\n\n- The ARN of an Amazon QuickSight user or group associated with a data source or dataset. (This is common.)\n- The ARN of an Amazon QuickSight user, group, or namespace associated with an analysis, dashboard, template, or theme. (This is common.)\n- The ARN of an AWS account root: This is an IAM ARN rather than a QuickSight ARN. Use this option only to share resources (templates) across AWS accounts . (This is less common.)", "title": "Principal", "type": "string" } @@ -204915,7 +204784,7 @@ "type": "array" }, "Principal": { - "markdownDescription": "The Amazon Resource Name (ARN) of the principal. This can be one of the following:\n\n- The ARN of an Amazon QuickSight user or group associated with a data source or dataset. (This is common.)\n- The ARN of an Amazon QuickSight user, group, or namespace associated with an analysis, dashboard, template, or theme. (This is common.)\n- The ARN of an AWS account root: This is an IAM ARN rather than a Amazon QuickSight ARN. Use this option only to share resources (templates) across AWS accounts . (This is less common.)", + "markdownDescription": "The Amazon Resource Name (ARN) of the principal. This can be one of the following:\n\n- The ARN of an Amazon QuickSight user or group associated with a data source or dataset. (This is common.)\n- The ARN of an Amazon QuickSight user, group, or namespace associated with an analysis, dashboard, template, or theme. (This is common.)\n- The ARN of an AWS account root: This is an IAM ARN rather than a QuickSight ARN. Use this option only to share resources (templates) across AWS accounts . (This is less common.)", "title": "Principal", "type": "string" } @@ -208323,7 +208192,7 @@ "items": { "type": "string" }, - "markdownDescription": "An array of Amazon Resource Names (ARNs) for Amazon QuickSight users or groups.", + "markdownDescription": "An array of Amazon Resource Names (ARNs) for QuickSight users or groups.", "title": "Principals", "type": "array" } @@ -208750,7 +208619,7 @@ "additionalProperties": false, "properties": { "UniqueKey": { - "markdownDescription": "A value that indicates that a row in a table is uniquely identified by the columns in a join key. This is used by Amazon QuickSight to optimize query performance.", + "markdownDescription": "A value that indicates that a row in a table is uniquely identified by the columns in a join key. This is used by QuickSight to optimize query performance.", "title": "UniqueKey", "type": "boolean" } @@ -209035,7 +208904,7 @@ "type": "array" }, "Principal": { - "markdownDescription": "The Amazon Resource Name (ARN) of the principal. This can be one of the following:\n\n- The ARN of an Amazon QuickSight user or group associated with a data source or dataset. (This is common.)\n- The ARN of an Amazon QuickSight user, group, or namespace associated with an analysis, dashboard, template, or theme. (This is common.)\n- The ARN of an AWS account root: This is an IAM ARN rather than a Amazon QuickSight ARN. Use this option only to share resources (templates) across AWS accounts . (This is less common.)", + "markdownDescription": "The Amazon Resource Name (ARN) of the principal. This can be one of the following:\n\n- The ARN of an Amazon QuickSight user or group associated with a data source or dataset. (This is common.)\n- The ARN of an Amazon QuickSight user, group, or namespace associated with an analysis, dashboard, template, or theme. (This is common.)\n- The ARN of an AWS account root: This is an IAM ARN rather than a QuickSight ARN. Use this option only to share resources (templates) across AWS accounts . (This is less common.)", "title": "Principal", "type": "string" } @@ -209937,7 +209806,7 @@ "type": "array" }, "Principal": { - "markdownDescription": "The Amazon Resource Name (ARN) of the principal. This can be one of the following:\n\n- The ARN of an Amazon QuickSight user or group associated with a data source or dataset. (This is common.)\n- The ARN of an Amazon QuickSight user, group, or namespace associated with an analysis, dashboard, template, or theme. (This is common.)\n- The ARN of an AWS account root: This is an IAM ARN rather than a Amazon QuickSight ARN. Use this option only to share resources (templates) across AWS accounts . (This is less common.)", + "markdownDescription": "The Amazon Resource Name (ARN) of the principal. This can be one of the following:\n\n- The ARN of an Amazon QuickSight user or group associated with a data source or dataset. (This is common.)\n- The ARN of an Amazon QuickSight user, group, or namespace associated with an analysis, dashboard, template, or theme. (This is common.)\n- The ARN of an AWS account root: This is an IAM ARN rather than a QuickSight ARN. Use this option only to share resources (templates) across AWS accounts . (This is less common.)", "title": "Principal", "type": "string" } @@ -210240,7 +210109,7 @@ "additionalProperties": false, "properties": { "RefreshType": { - "markdownDescription": "The type of refresh that a dataset undergoes. Valid values are as follows:\n\n- `FULL_REFRESH` : A complete refresh of a dataset.\n- `INCREMENTAL_REFRESH` : A partial refresh of some rows of a dataset, based on the time window specified.\n\nFor more information on full and incremental refreshes, see [Refreshing SPICE data](https://docs.aws.amazon.com/quicksight/latest/user/refreshing-imported-data.html) in the *Amazon QuickSight User Guide* .", + "markdownDescription": "The type of refresh that a dataset undergoes. Valid values are as follows:\n\n- `FULL_REFRESH` : A complete refresh of a dataset.\n- `INCREMENTAL_REFRESH` : A partial refresh of some rows of a dataset, based on the time window specified.\n\nFor more information on full and incremental refreshes, see [Refreshing SPICE data](https://docs.aws.amazon.com/quicksight/latest/user/refreshing-imported-data.html) in the *QuickSight User Guide* .", "title": "RefreshType", "type": "string" }, @@ -219306,7 +219175,7 @@ "type": "array" }, "Principal": { - "markdownDescription": "The Amazon Resource Name (ARN) of the principal. This can be one of the following:\n\n- The ARN of an Amazon QuickSight user or group associated with a data source or dataset. (This is common.)\n- The ARN of an Amazon QuickSight user, group, or namespace associated with an analysis, dashboard, template, or theme. (This is common.)\n- The ARN of an AWS account root: This is an IAM ARN rather than a Amazon QuickSight ARN. Use this option only to share resources (templates) across AWS accounts . (This is less common.)", + "markdownDescription": "The Amazon Resource Name (ARN) of the principal. This can be one of the following:\n\n- The ARN of an Amazon QuickSight user or group associated with a data source or dataset. (This is common.)\n- The ARN of an Amazon QuickSight user, group, or namespace associated with an analysis, dashboard, template, or theme. (This is common.)\n- The ARN of an AWS account root: This is an IAM ARN rather than a QuickSight ARN. Use this option only to share resources (templates) across AWS accounts . (This is less common.)", "title": "Principal", "type": "string" } @@ -222777,7 +222646,7 @@ "type": "array" }, "Principal": { - "markdownDescription": "The Amazon Resource Name (ARN) of the principal. This can be one of the following:\n\n- The ARN of an Amazon QuickSight user or group associated with a data source or dataset. (This is common.)\n- The ARN of an Amazon QuickSight user, group, or namespace associated with an analysis, dashboard, template, or theme. (This is common.)\n- The ARN of an AWS account root: This is an IAM ARN rather than a Amazon QuickSight ARN. Use this option only to share resources (templates) across AWS accounts . (This is less common.)", + "markdownDescription": "The Amazon Resource Name (ARN) of the principal. This can be one of the following:\n\n- The ARN of an Amazon QuickSight user or group associated with a data source or dataset. (This is common.)\n- The ARN of an Amazon QuickSight user, group, or namespace associated with an analysis, dashboard, template, or theme. (This is common.)\n- The ARN of an AWS account root: This is an IAM ARN rather than a QuickSight ARN. Use this option only to share resources (templates) across AWS accounts . (This is less common.)", "title": "Principal", "type": "string" } @@ -224478,7 +224347,7 @@ "type": "array" }, "AutoMinorVersionUpgrade": { - "markdownDescription": "Specifies whether minor engine upgrades are applied automatically to the DB cluster during the maintenance window. By default, minor engine upgrades are applied automatically.\n\nValid for Cluster Type: Aurora DB clusters and Multi-AZ DB cluster", + "markdownDescription": "Specifies whether minor engine upgrades are applied automatically to the DB cluster during the maintenance window. By default, minor engine upgrades are applied automatically.\n\nValid for Cluster Type: Aurora DB clusters and Multi-AZ DB cluster.\n\nFor more information about automatic minor version upgrades, see [Automatically upgrading the minor engine version](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_UpgradeDBInstance.Upgrading.html#USER_UpgradeDBInstance.Upgrading.AutoMinorVersionUpgrades) .", "title": "AutoMinorVersionUpgrade", "type": "boolean" }, @@ -226000,12 +225869,12 @@ "additionalProperties": false, "properties": { "ConnectionBorrowTimeout": { - "markdownDescription": "The number of seconds for a proxy to wait for a connection to become available in the connection pool. This setting only applies when the proxy has opened its maximum number of connections and all connections are busy with client sessions.\n\nDefault: `120`\n\nConstraints:\n\n- Must be between 0 and 3600.", + "markdownDescription": "The number of seconds for a proxy to wait for a connection to become available in the connection pool. This setting only applies when the proxy has opened its maximum number of connections and all connections are busy with client sessions.\n\nDefault: `120`\n\nConstraints:\n\n- Must be between 0 and 300.", "title": "ConnectionBorrowTimeout", "type": "number" }, "InitQuery": { - "markdownDescription": "Add an initialization query, or modify the current one. You can specify one or more SQL statements for the proxy to run when opening each new database connection. The setting is typically used with `SET` statements to make sure that each connection has identical settings. Make sure that the query you add is valid. To include multiple variables in a single `SET` statement, use comma separators.\n\nFor example: `SET variable1=value1, variable2=value2`\n\nFor multiple statements, use semicolons as the separator.\n\nDefault: no initialization query", + "markdownDescription": "Add an initialization query, or modify the current one. You can specify one or more SQL statements for the proxy to run when opening each new database connection. The setting is typically used with `SET` statements to make sure that each connection has identical settings. Make sure the query added here is valid. This is an optional field, so you can choose to leave it empty. For including multiple variables in a single SET statement, use a comma separator.\n\nFor example: `SET variable1=value1, variable2=value2`\n\nDefault: no initialization query", "title": "InitQuery", "type": "string" }, @@ -228610,7 +228479,7 @@ "items": { "$ref": "#/definitions/AWS::RedshiftServerless::Workgroup.ConfigParameter" }, - "markdownDescription": "A list of parameters to set for finer control over a database. Available options are `datestyle` , `enable_user_activity_logging` , `query_group` , `search_path` , `max_query_execution_time` , and `require_ssl` .", + "markdownDescription": "The key of the parameter. The options are `auto_mv` , `datestyle` , `enable_case_sensitive_identifier` , `enable_user_activity_logging` , `query_group` , `search_path` , `require_ssl` , `use_fips_ssl` , and query monitoring metrics that let you define performance boundaries. For more information about query monitoring rules and available metrics, see [Query monitoring metrics for Amazon Redshift Serverless](https://docs.aws.amazon.com/redshift/latest/dg/cm-c-wlm-query-monitoring-rules.html#cm-c-wlm-query-monitoring-metrics-serverless) .", "title": "ConfigParameters", "type": "array" }, @@ -228699,7 +228568,7 @@ "additionalProperties": false, "properties": { "ParameterKey": { - "markdownDescription": "The key of the parameter. The options are `datestyle` , `enable_user_activity_logging` , `query_group` , `search_path` , `max_query_execution_time` , and `require_ssl` .", + "markdownDescription": "The key of the parameter. The options are `auto_mv` , `datestyle` , `enable_case_sensitive_identifier` , `enable_user_activity_logging` , `query_group` , `search_path` , `require_ssl` , `use_fips_ssl` , and query monitoring metrics that let you define performance boundaries. For more information about query monitoring rules and available metrics, see [Query monitoring metrics for Amazon Redshift Serverless](https://docs.aws.amazon.com/redshift/latest/dg/cm-c-wlm-query-monitoring-rules.html#cm-c-wlm-query-monitoring-metrics-serverless) .", "title": "ParameterKey", "type": "string" }, @@ -236548,7 +236417,7 @@ "type": "string" }, "KeyPrefixEquals": { - "markdownDescription": "The object key name prefix when the redirect is applied. For example, to redirect requests for `ExamplePage.html` , the key prefix will be `ExamplePage.html` . To redirect request for all pages with the prefix `docs/` , the key prefix will be `/docs` , which identifies all objects in the docs/ folder.\n\nRequired when the parent element `Condition` is specified and sibling `HttpErrorCodeReturnedEquals` is not specified. If both conditions are specified, both must be true for the redirect to be applied.", + "markdownDescription": "The object key name prefix when the redirect is applied. For example, to redirect requests for `ExamplePage.html` , the key prefix will be `ExamplePage.html` . To redirect request for all pages with the prefix `docs/` , the key prefix will be `docs/` , which identifies all objects in the docs/ folder.\n\nRequired when the parent element `Condition` is specified and sibling `HttpErrorCodeReturnedEquals` is not specified. If both conditions are specified, both must be true for the redirect to be applied.", "title": "KeyPrefixEquals", "type": "string" } @@ -239226,7 +239095,7 @@ "items": { "type": "string" }, - "markdownDescription": "The types of events that Amazon SES sends to the specified event destinations.\n\n- `SEND` - The send request was successful and SES will attempt to deliver the message to the recipient\u2019s mail server. (If account-level or global suppression is being used, SES will still count it as a send, but delivery is suppressed.)\n- `REJECT` - SES accepted the email, but determined that it contained a virus and didn\u2019t attempt to deliver it to the recipient\u2019s mail server.\n- `BOUNCE` - ( *Hard bounce* ) The recipient's mail server permanently rejected the email. ( *Soft bounces* are only included when SES fails to deliver the email after retrying for a period of time.)\n- `COMPLAINT` - The email was successfully delivered to the recipient\u2019s mail server, but the recipient marked it as spam.\n- `DELIVERY` - SES successfully delivered the email to the recipient's mail server.\n- `OPEN` - The recipient received the message and opened it in their email client.\n- `CLICK` - The recipient clicked one or more links in the email.\n- `RENDERING_FAILURE` - The email wasn't sent because of a template rendering issue. This event type can occur when template data is missing, or when there is a mismatch between template parameters and data. (This event type only occurs when you send email using the [`SendTemplatedEmail`](https://docs.aws.amazon.com/ses/latest/APIReference/API_SendTemplatedEmail.html) or [`SendBulkTemplatedEmail`](https://docs.aws.amazon.com/ses/latest/APIReference/API_SendBulkTemplatedEmail.html) API operations.)\n- `DELIVERY_DELAY` - The email couldn't be delivered to the recipient\u2019s mail server because a temporary issue occurred. Delivery delays can occur, for example, when the recipient's inbox is full, or when the receiving email server experiences a transient issue.\n- `SUBSCRIPTION` - The email was successfully delivered, but the recipient updated their subscription preferences by clicking on an *unsubscribe* link as part of your [subscription management](https://docs.aws.amazon.com/ses/latest/dg/sending-email-subscription-management.html) .", + "markdownDescription": "The types of events that Amazon SES sends to the specified event destinations.\n\n- `SEND` - The send request was successful and SES will attempt to deliver the message to the recipient\u2019s mail server. (If account-level or global suppression is being used, SES will still count it as a send, but delivery is suppressed.)\n- `REJECT` - SES accepted the email, but determined that it contained a virus and didn\u2019t attempt to deliver it to the recipient\u2019s mail server.\n- `BOUNCE` - ( *Hard bounce* ) The recipient's mail server permanently rejected the email. ( *Soft bounces* are only included when SES fails to deliver the email after retrying for a period of time.)\n- `COMPLAINT` - The email was successfully delivered to the recipient\u2019s mail server, but the recipient marked it as spam.\n- `DELIVERY` - SES successfully delivered the email to the recipient's mail server.\n- `OPEN` - The recipient received the message and opened it in their email client.\n- `CLICK` - The recipient clicked one or more links in the email.\n- `RENDERING_FAILURE` - The email wasn't sent because of a template rendering issue. This event type can occur when template data is missing, or when there is a mismatch between template parameters and data. (This event type only occurs when you send email using the [`SendEmail`](https://docs.aws.amazon.com/ses/latest/APIReference-V2/API_SendEmail.html) or [`SendBulkEmail`](https://docs.aws.amazon.com/ses/latest/APIReference-V2/API_SendBulkEmail.html) API operations.)\n- `DELIVERY_DELAY` - The email couldn't be delivered to the recipient\u2019s mail server because a temporary issue occurred. Delivery delays can occur, for example, when the recipient's inbox is full, or when the receiving email server experiences a transient issue.\n- `SUBSCRIPTION` - The email was successfully delivered, but the recipient updated their subscription preferences by clicking on an *unsubscribe* link as part of your [subscription management](https://docs.aws.amazon.com/ses/latest/dg/sending-email-subscription-management.html) .", "title": "MatchingEventTypes", "type": "array" }, @@ -240005,12 +239874,12 @@ "additionalProperties": false, "properties": { "Encoding": { - "markdownDescription": "The encoding to use for the email within the Amazon SNS notification. UTF-8 is easier to use, but may not preserve all special characters when a message was encoded with a different encoding format. Base64 preserves all special characters. The default value is UTF-8.", + "markdownDescription": "The encoding to use for the email within the Amazon SNS notification. The default value is `UTF-8` . Use `BASE64` if you need to preserve all special characters, especially when the original message uses a different encoding format.", "title": "Encoding", "type": "string" }, "TopicArn": { - "markdownDescription": "The Amazon Resource Name (ARN) of the Amazon SNS topic to notify. You can find the ARN of a topic by using the [ListTopics](https://docs.aws.amazon.com/sns/latest/api/API_ListTopics.html) operation in Amazon SNS.\n\nFor more information about Amazon SNS topics, see the [Amazon SNS Developer Guide](https://docs.aws.amazon.com/sns/latest/dg/CreateTopic.html) .", + "markdownDescription": "The Amazon Resource Name (ARN) of the Amazon SNS Topic to which notification for the email received will be published.", "title": "TopicArn", "type": "string" } @@ -240195,7 +240064,7 @@ "type": "string" }, "TemplateName": { - "markdownDescription": "The name of the template. You will refer to this name when you send email using the `SendTemplatedEmail` or `SendBulkTemplatedEmail` operations.", + "markdownDescription": "The name of the template. You will refer to this name when you send email using the `SendEmail` or `SendBulkEmail` operations.", "title": "TemplateName", "type": "string" }, @@ -261516,12 +261385,12 @@ "type": "string" }, "S3Key": { - "markdownDescription": "The S3 key of your script. For more information, see [Working with Amazon S3 Objects](https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingObjects.html) .", + "markdownDescription": "The Amazon S3 key of your script. For more information, see [Working with Amazon S3 Objects](https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingObjects.html) .", "title": "S3Key", "type": "string" }, "S3ObjectVersion": { - "markdownDescription": "The S3 version ID of your script.", + "markdownDescription": "The Amazon S3 version ID of your script.", "title": "S3ObjectVersion", "type": "string" }, @@ -263524,7 +263393,7 @@ "additionalProperties": false, "properties": { "HomeDirectory": { - "markdownDescription": "The landing directory (folder) for a user when they log in to the server using the client.\n\nA `HomeDirectory` example is `/bucket_name/home/mydirectory` .\n\n> The `HomeDirectory` parameter is only used if `HomeDirectoryType` is set to `PATH` .", + "markdownDescription": "The landing directory (folder) for a user when they log in to the server using the client.\n\nA `HomeDirectory` example is `/bucket_name/home/mydirectory` .\n\n> You can use the `HomeDirectory` parameter for `HomeDirectoryType` when it is set to either `PATH` or `LOGICAL` .", "title": "HomeDirectory", "type": "string" }, @@ -264832,7 +264701,7 @@ "additionalProperties": false, "properties": { "StatusCode": { - "markdownDescription": "The HTTP response code.", + "markdownDescription": "The HTTP response code. Only `404` and `500` status codes are supported.", "title": "StatusCode", "type": "number" } @@ -265073,7 +264942,7 @@ "additionalProperties": false, "properties": { "StatusCode": { - "markdownDescription": "The HTTP response code.", + "markdownDescription": "The HTTP response code. Only `404` and `500` status codes are supported.", "title": "StatusCode", "type": "number" } @@ -268788,7 +268657,7 @@ "type": "string" }, "OversizeHandling": { - "markdownDescription": "What AWS WAF should do if the headers of the request are more numerous or larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request headers when they exceed 8 KB (8192 bytes) or 200 total headers. The underlying host service forwards a maximum of 200 headers and at most 8 KB of header contents to AWS WAF .\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available headers normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.", + "markdownDescription": "What AWS WAF should do if the headers determined by your match scope are more numerous or larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request headers when they exceed 8 KB (8192 bytes) or 200 total headers. The underlying host service forwards a maximum of 200 headers and at most 8 KB of header contents to AWS WAF .\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available headers normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.", "title": "OversizeHandling", "type": "string" } @@ -270290,7 +270159,7 @@ "type": "string" }, "OversizeHandling": { - "markdownDescription": "What AWS WAF should do if the headers of the request are more numerous or larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request headers when they exceed 8 KB (8192 bytes) or 200 total headers. The underlying host service forwards a maximum of 200 headers and at most 8 KB of header contents to AWS WAF .\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available headers normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.", + "markdownDescription": "What AWS WAF should do if the headers determined by your match scope are more numerous or larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request headers when they exceed 8 KB (8192 bytes) or 200 total headers. The underlying host service forwards a maximum of 200 headers and at most 8 KB of header contents to AWS WAF .\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available headers normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.", "title": "OversizeHandling", "type": "string" } @@ -276036,6 +275905,9 @@ "ProvisionedPollerConfig": { "$ref": "#/definitions/PassThroughProp" }, + "SchemaRegistryConfig": { + "$ref": "#/definitions/PassThroughProp" + }, "SourceAccessConfigurations": { "allOf": [ { @@ -276881,6 +276753,9 @@ "ProvisionedPollerConfig": { "$ref": "#/definitions/PassThroughProp" }, + "SchemaRegistryConfig": { + "$ref": "#/definitions/PassThroughProp" + }, "SourceAccessConfigurations": { "allOf": [ { diff --git a/schema_source/cloudformation-docs.json b/schema_source/cloudformation-docs.json index 8763b9e440..c31581104b 100644 --- a/schema_source/cloudformation-docs.json +++ b/schema_source/cloudformation-docs.json @@ -217,7 +217,7 @@ "AWS::APS::Scraper": { "Alias": "An optional user-assigned scraper alias.", "Destination": "The Amazon Managed Service for Prometheus workspace the scraper sends metrics to.", - "RoleConfiguration": "", + "RoleConfiguration": "The role configuration in an Amazon Managed Service for Prometheus scraper.", "ScrapeConfiguration": "The configuration in use by the scraper.", "Source": "The Amazon EKS cluster from which the scraper collects metrics.", "Tags": "(Optional) The list of tag keys and values associated with the scraper." @@ -234,8 +234,8 @@ "SubnetIds": "A list of subnet IDs for the Amazon EKS cluster VPC configuration." }, "AWS::APS::Scraper RoleConfiguration": { - "SourceRoleArn": "", - "TargetRoleArn": "" + "SourceRoleArn": "The ARN of the source role.", + "TargetRoleArn": "The ARN of the target role." }, "AWS::APS::Scraper ScrapeConfiguration": { "ConfigurationBlob": "The base 64 encoded scrape configuration file." @@ -251,10 +251,14 @@ "AlertManagerDefinition": "The alert manager definition, a YAML configuration for the alert manager in your Amazon Managed Service for Prometheus workspace.\n\nFor details about the alert manager definition, see [Creating an alert manager configuration files](https://docs.aws.amazon.com/prometheus/latest/userguide/AMP-alertmanager-config.html) in the *Amazon Managed Service for Prometheus User Guide* .\n\nThe following example shows part of a CloudFormation YAML file with an embedded alert manager definition (following the `- |-` ).\n\n`Workspace: Type: AWS::APS::Workspace .... Properties: .... AlertManagerDefinition: Fn::Sub: - |- alertmanager_config: | templates: - 'default_template' route: receiver: example-sns receivers: - name: example-sns sns_configs: - topic_arn: 'arn:aws:sns:${AWS::Region}:${AWS::AccountId}:${TopicName}' -`", "Alias": "The alias that is assigned to this workspace to help identify it. It does not need to be unique.", "KmsKeyArn": "(optional) The ARN for a customer managed AWS KMS key to use for encrypting data within your workspace. For more information about using your own key in your workspace, see [Encryption at rest](https://docs.aws.amazon.com/prometheus/latest/userguide/encryption-at-rest-Amazon-Service-Prometheus.html) in the *Amazon Managed Service for Prometheus User Guide* .", - "LoggingConfiguration": "Contains information about the logging configuration for the workspace.", + "LoggingConfiguration": "Contains information about the current rules and alerting logging configuration for the workspace.\n\n> These logging configurations are only for rules and alerting logs.", + "QueryLoggingConfiguration": "The definition of logging configuration in an Amazon Managed Service for Prometheus workspace.", "Tags": "The list of tag keys and values that are associated with the workspace.", "WorkspaceConfiguration": "Use this structure to define label sets and the ingestion limits for time series that match label sets, and to specify the retention period of the workspace." }, + "AWS::APS::Workspace CloudWatchLogDestination": { + "LogGroupArn": "The ARN of the CloudWatch log group." + }, "AWS::APS::Workspace Label": { "Name": "The name for this label.", "Value": "The value for this label." @@ -269,6 +273,16 @@ "AWS::APS::Workspace LoggingConfiguration": { "LogGroupArn": "The ARN of the CloudWatch log group to which the vended log data will be published. This log group must exist prior to calling this operation." }, + "AWS::APS::Workspace LoggingDestination": { + "CloudWatchLogs": "Configuration details for logging to CloudWatch Logs.", + "Filters": "Filtering criteria that determine which queries are logged." + }, + "AWS::APS::Workspace LoggingFilter": { + "QspThreshold": "" + }, + "AWS::APS::Workspace QueryLoggingConfiguration": { + "Destinations": "Defines a destination and its associated filtering criteria for query logging." + }, "AWS::APS::Workspace Tag": { "Key": "The key of the tag. Must not begin with `aws:` .", "Value": "The value of the tag." @@ -390,7 +404,7 @@ "AWS::AmazonMQ::Broker User": { "ConsoleAccess": "Enables access to the ActiveMQ web console for the ActiveMQ user. Does not apply to RabbitMQ brokers.", "Groups": "The list of groups (20 maximum) to which the ActiveMQ user belongs. This value can contain only alphanumeric characters, dashes, periods, underscores, and tildes (- . _ ~). This value must be 2-100 characters long. Does not apply to RabbitMQ brokers.", - "JolokiaApiAccess": "Turn on Jolokia access for your ActiveMQ broker user (Does not apply to RabbitMQ brokers).", + "JolokiaApiAccess": "", "Password": "The password of the user. This value must be at least 12 characters long, must contain at least 4 unique characters, and must not contain commas, colons, or equal signs (,:=).", "ReplicationUser": "Defines if this user is intended for CRDR replication purposes.", "Username": "The username of the broker user. For Amazon MQ for ActiveMQ brokers, this value can contain only alphanumeric characters, dashes, periods, underscores, and tildes (- . _ ~). For Amazon MQ for RabbitMQ brokers, this value can contain only alphanumeric characters, dashes, periods, underscores (- . _). This value must not contain a tilde (~) character. Amazon MQ prohibts using guest as a valid usename. This value must be 2-100 characters long.\n\n> Do not add personally identifiable information (PII) or other confidential or sensitive information in broker usernames. Broker usernames are accessible to other AWS services, including CloudWatch Logs . Broker usernames are not intended to be used for private or sensitive data." @@ -454,7 +468,7 @@ "Username": "The user name for basic authorization." }, "AWS::Amplify::App CacheConfig": { - "Type": "The type of cache configuration to use for an Amplify app.\n\nThe `AMPLIFY_MANAGED` cache configuration automatically applies an optimized cache configuration for your app based on its platform, routing rules, and rewrite rules. This is the default setting.\n\nThe `AMPLIFY_MANAGED_NO_COOKIES` cache configuration type is the same as `AMPLIFY_MANAGED` , except that it excludes all cookies from the cache key." + "Type": "The type of cache configuration to use for an Amplify app.\n\nThe `AMPLIFY_MANAGED` cache configuration automatically applies an optimized cache configuration for your app based on its platform, routing rules, and rewrite rules.\n\nThe `AMPLIFY_MANAGED_NO_COOKIES` cache configuration type is the same as `AMPLIFY_MANAGED` , except that it excludes all cookies from the cache key. This is the default setting." }, "AWS::Amplify::App CustomRule": { "Condition": "The condition for a URL rewrite or redirect rule, such as a country code.", @@ -907,6 +921,7 @@ "MutualTlsAuthentication": "The mutual TLS authentication configuration for a custom domain name. If specified, API Gateway performs two-way authentication between the client and the server. Clients must present a trusted certificate to access your API.", "OwnershipVerificationCertificateArn": "The ARN of the public certificate issued by ACM to validate ownership of your custom domain. Only required when configuring mutual TLS and using an ACM imported or private CA certificate ARN as the RegionalCertificateArn.", "RegionalCertificateArn": "The reference to an AWS -managed certificate that will be used for validating the regional domain name. AWS Certificate Manager is the only supported source.", + "RoutingMode": "The routing mode for this domain name. The routing mode determines how API Gateway sends traffic from your custom domain name to your public APIs.", "SecurityPolicy": "The Transport Layer Security (TLS) version + cipher suite for this DomainName. The valid values are `TLS_1_0` and `TLS_1_2` .", "Tags": "The collection of tags. Each tag element is associated with a given resource." }, @@ -937,10 +952,12 @@ "DomainName": "Represents a custom domain name as a user-friendly host name of an API (RestApi).", "EndpointConfiguration": "The endpoint configuration to indicate the types of endpoints an API (RestApi) or its custom domain name (DomainName) has and the IP address types that can invoke it.", "Policy": "A stringified JSON policy document that applies to the `execute-api` service for this DomainName regardless of the caller and Method configuration. You can use `Fn::ToJsonString` to enter your `policy` . For more information, see [Fn::ToJsonString](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-ToJsonString.html) .", + "RoutingMode": "The routing mode for this domain name. The routing mode determines how API Gateway sends traffic from your custom domain name to your private APIs.", "SecurityPolicy": "The Transport Layer Security (TLS) version + cipher suite for this DomainName. Only `TLS_1_2` is supported.", "Tags": "The collection of tags. Each tag element is associated with a given resource." }, "AWS::ApiGateway::DomainNameV2 EndpointConfiguration": { + "IpAddressType": "The IP address types that can invoke an API (RestApi) or a DomainName. Use `ipv4` to allow only IPv4 addresses to invoke an API or DomainName, or use `dualstack` to allow both IPv4 and IPv6 addresses to invoke an API or a DomainName. For the `PRIVATE` endpoint type, only `dualstack` is supported.", "Types": "A list of endpoint types of an API (RestApi) or its custom domain name (DomainName). For an edge-optimized API and its custom domain name, the endpoint type is `\"EDGE\"` . For a regional API and its custom domain name, the endpoint type is `REGIONAL` . For a private API, the endpoint type is `PRIVATE` ." }, "AWS::ApiGateway::DomainNameV2 Tag": { @@ -981,7 +998,7 @@ "PassthroughBehavior": "Specifies how the method request body of an unmapped content type will be passed through the integration request to the back end without transformation. A content type is unmapped if no mapping template is defined in the integration or the content type does not match any of the mapped content types, as specified in `requestTemplates` . The valid value is one of the following: `WHEN_NO_MATCH` : passes the method request body through the integration request to the back end without transformation when the method request content type does not match any content type associated with the mapping templates defined in the integration request. `WHEN_NO_TEMPLATES` : passes the method request body through the integration request to the back end without transformation when no mapping template is defined in the integration request. If a template is defined when this option is selected, the method request of an unmapped content-type will be rejected with an HTTP 415 Unsupported Media Type response. `NEVER` : rejects the method request with an HTTP 415 Unsupported Media Type response when either the method request content type does not match any content type associated with the mapping templates defined in the integration request or no mapping template is defined in the integration request.", "RequestParameters": "A key-value map specifying request parameters that are passed from the method request to the back end. The key is an integration request parameter name and the associated value is a method request parameter value or static value that must be enclosed within single quotes and pre-encoded as required by the back end. The method request parameter value must match the pattern of `method.request.{location}.{name}` , where `location` is `querystring` , `path` , or `header` and `name` must be a valid and unique method request parameter name.", "RequestTemplates": "Represents a map of Velocity templates that are applied on the request payload based on the value of the Content-Type header sent by the client. The content type value is the key in this map, and the template (as a String) is the value.", - "TimeoutInMillis": "Custom timeout between 50 and 29,000 milliseconds. The default value is 29,000 milliseconds or 29 seconds.", + "TimeoutInMillis": "Custom timeout between 50 and 29,000 milliseconds. The default value is 29,000 milliseconds or 29 seconds. You can increase the default value to longer than 29 seconds for Regional or private APIs only.", "Type": "Specifies an API method integration type. The valid value is one of the following:\n\nFor the HTTP and HTTP proxy integrations, each integration can specify a protocol ( `http/https` ), port and path. Standard 80 and 443 ports are supported as well as custom ports above 1024. An HTTP or HTTP proxy integration with a `connectionType` of `VPC_LINK` is referred to as a private integration and uses a VpcLink to connect API Gateway to a network load balancer of a VPC.", "Uri": "Specifies Uniform Resource Identifier (URI) of the integration endpoint.\n\nFor `HTTP` or `HTTP_PROXY` integrations, the URI must be a fully formed, encoded HTTP(S) URL according to the RFC-3986 specification for standard integrations. If `connectionType` is `VPC_LINK` specify the Network Load Balancer DNS name. For `AWS` or `AWS_PROXY` integrations, the URI is of the form `arn:aws:apigateway:{region}:{subdomain.service|service}:path|action/{service_api}` . Here, {Region} is the API Gateway region (e.g., us-east-1); {service} is the name of the integrated AWS service (e.g., s3); and {subdomain} is a designated subdomain supported by certain AWS service for fast host-name lookup. action can be used for an AWS service action-based API, using an Action={name}&{p1}={v1}&p2={v2}... query string. The ensuing {service_api} refers to a supported action {name} plus any required input parameters. Alternatively, path can be used for an AWS service path-based API. The ensuing service_api refers to the path to an AWS service resource, including the region of the integrated AWS service, if applicable. For example, for integration with the S3 API of GetObject, the uri can be either `arn:aws:apigateway:us-west-2:s3:action/GetObject&Bucket={bucket}&Key={key}` or `arn:aws:apigateway:us-west-2:s3:path/{bucket}/{key}`" }, @@ -1234,6 +1251,7 @@ "DomainName": "The custom domain name for your API in Amazon API Gateway. Uppercase letters and the underscore ( `_` ) character are not supported.", "DomainNameConfigurations": "The domain name configurations.", "MutualTlsAuthentication": "The mutual TLS authentication configuration for a custom domain name.", + "RoutingMode": "The routing mode API Gateway uses to route traffic to your APIs.", "Tags": "The collection of tags associated with a domain name." }, "AWS::ApiGatewayV2::DomainName DomainNameConfiguration": { @@ -1319,6 +1337,34 @@ "AWS::ApiGatewayV2::RouteResponse ParameterConstraints": { "Required": "Specifies whether the parameter is required." }, + "AWS::ApiGatewayV2::RoutingRule": { + "Actions": "The resulting action based on matching a routing rules condition. Only InvokeApi is supported.", + "Conditions": "The conditions of the routing rule.", + "DomainNameArn": "The ARN of the domain name.", + "Priority": "The order in which API Gateway evaluates a rule. Priority is evaluated from the lowest value to the highest value. Rules can't have the same priority. Priority values 1-1,000,000 are supported." + }, + "AWS::ApiGatewayV2::RoutingRule Action": { + "InvokeApi": "Represents an InvokeApi action." + }, + "AWS::ApiGatewayV2::RoutingRule ActionInvokeApi": { + "ApiId": "The API identifier of the target API.", + "Stage": "The name of the target stage.", + "StripBasePath": "The strip base path setting. When true, API Gateway strips the incoming matched base path when forwarding the request to the target API." + }, + "AWS::ApiGatewayV2::RoutingRule Condition": { + "MatchBasePaths": "The base path to be matched.", + "MatchHeaders": "The headers to be matched." + }, + "AWS::ApiGatewayV2::RoutingRule MatchBasePaths": { + "AnyOf": "The string of the case sensitive base path to be matched." + }, + "AWS::ApiGatewayV2::RoutingRule MatchHeaderValue": { + "Header": "The case insensitive header name to be matched. The header name must be less than 40 characters and the only allowed characters are `a-z` , `A-Z` , `0-9` , and the following special characters: `*?-!#$%&'.^_`|~.` .", + "ValueGlob": "The case sensitive header glob value to be matched against entire header value. The header glob value must be less than 128 characters and the only allowed characters are `a-z` , `A-Z` , `0-9` , and the following special characters: `*?-!#$%&'.^_`|~` . Wildcard matching is supported for header glob values but must be for `*prefix-match` , `suffix-match*` , or `*infix*-match` ." + }, + "AWS::ApiGatewayV2::RoutingRule MatchHeaders": { + "AnyOf": "The header name and header value glob to be matched. The matchHeaders condition is matched if any of the header name and header value globs are matched." + }, "AWS::ApiGatewayV2::Stage": { "AccessLogSettings": "Settings for logging access in this stage.", "AccessPolicyId": "This parameter is not currently supported.", @@ -3170,6 +3216,7 @@ "ApiId": "The `Api` ID.", "CodeHandlers": "The event handler functions that run custom business logic to process published events and subscribe requests.", "CodeS3Location": "The Amazon S3 endpoint where the code is located.", + "HandlerConfigs": "The configuration for the `OnPublish` and `OnSubscribe` handlers.", "Name": "The name of the channel namespace. This name must be unique within the `Api` .", "PublishAuthModes": "The authorization mode to use for publishing messages on the channel namespace. This configuration overrides the default `Api` authorization configuration.", "SubscribeAuthModes": "The authorization mode to use for subscribing to messages on the channel namespace. This configuration overrides the default `Api` authorization configuration.", @@ -3178,6 +3225,21 @@ "AWS::AppSync::ChannelNamespace AuthMode": { "AuthType": "The authorization type." }, + "AWS::AppSync::ChannelNamespace HandlerConfig": { + "Behavior": "The behavior for the handler.", + "Integration": "The integration data source configuration for the handler." + }, + "AWS::AppSync::ChannelNamespace HandlerConfigs": { + "OnPublish": "The configuration for the `OnPublish` handler.", + "OnSubscribe": "The configuration for the `OnSubscribe` handler." + }, + "AWS::AppSync::ChannelNamespace Integration": { + "DataSourceName": "The unique name of the data source that has been configured on the API.", + "LambdaConfig": "The configuration for a Lambda data source." + }, + "AWS::AppSync::ChannelNamespace LambdaConfig": { + "InvokeType": "The invocation type for a Lambda data source." + }, "AWS::AppSync::ChannelNamespace Tag": { "Key": "Describes the key of the tag.", "Value": "Describes the value of the tag." @@ -4049,7 +4111,7 @@ "MixedInstancesPolicy": "An embedded object that specifies a mixed instances policy.\n\nThe policy includes properties that not only define the distribution of On-Demand Instances and Spot Instances, the maximum price to pay for Spot Instances (optional), and how the Auto Scaling group allocates instance types to fulfill On-Demand and Spot capacities, but also the properties that specify the instance configuration information\u2014the launch template and instance types. The policy can also include a weight for each instance type and different launch templates for individual instance types.\n\nFor more information, see [Auto Scaling groups with multiple instance types and purchase options](https://docs.aws.amazon.com/autoscaling/ec2/userguide/ec2-auto-scaling-mixed-instances-groups.html) in the *Amazon EC2 Auto Scaling User Guide* .", "NewInstancesProtectedFromScaleIn": "Indicates whether newly launched instances are protected from termination by Amazon EC2 Auto Scaling when scaling in. For more information about preventing instances from terminating on scale in, see [Use instance scale-in protection](https://docs.aws.amazon.com/autoscaling/ec2/userguide/ec2-auto-scaling-instance-protection.html) in the *Amazon EC2 Auto Scaling User Guide* .", "NotificationConfigurations": "Configures an Auto Scaling group to send notifications when specified events take place.", - "PlacementGroup": "The name of the placement group into which to launch your instances. For more information, see [Placement groups](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/placement-groups.html) in the *Amazon EC2 User Guide for Linux Instances* .\n\n> A *cluster* placement group is a logical grouping of instances within a single Availability Zone. You cannot specify multiple Availability Zones and a cluster placement group.", + "PlacementGroup": "The name of the placement group into which to launch your instances. For more information, see [Placement groups](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/placement-groups.html) in the *Amazon EC2 User Guide* .\n\n> A *cluster* placement group is a logical grouping of instances within a single Availability Zone. You cannot specify multiple Availability Zones and a cluster placement group.", "ServiceLinkedRoleARN": "The Amazon Resource Name (ARN) of the service-linked role that the Auto Scaling group uses to call other AWS service on your behalf. By default, Amazon EC2 Auto Scaling uses a service-linked role named `AWSServiceRoleForAutoScaling` , which it creates if it does not exist. For more information, see [Service-linked roles](https://docs.aws.amazon.com/autoscaling/ec2/userguide/autoscaling-service-linked-role.html) in the *Amazon EC2 Auto Scaling User Guide* .", "SkipZonalShiftValidation": "", "Tags": "One or more tags. You can tag your Auto Scaling group and propagate the tags to the Amazon EC2 instances it launches. Tags are not propagated to Amazon EBS volumes. To add tags to Amazon EBS volumes, specify the tags in a launch template but use caution. If the launch template specifies an instance tag with a key that is also specified for the Auto Scaling group, Amazon EC2 Auto Scaling overrides the value of that instance tag with the value specified by the Auto Scaling group. For more information, see [Tag Auto Scaling groups and instances](https://docs.aws.amazon.com/autoscaling/ec2/userguide/ec2-auto-scaling-tagging.html) in the *Amazon EC2 Auto Scaling User Guide* .", @@ -4103,13 +4165,13 @@ "AcceleratorTypes": "Lists the accelerator types that must be on an instance type.\n\n- For instance types with GPU accelerators, specify `gpu` .\n- For instance types with FPGA accelerators, specify `fpga` .\n- For instance types with inference accelerators, specify `inference` .\n\nDefault: Any accelerator type", "AllowedInstanceTypes": "The instance types to apply your specified attributes against. All other instance types are ignored, even if they match your specified attributes.\n\nYou can use strings with one or more wild cards, represented by an asterisk ( `*` ), to allow an instance type, size, or generation. The following are examples: `m5.8xlarge` , `c5*.*` , `m5a.*` , `r*` , `*3*` .\n\nFor example, if you specify `c5*` , Amazon EC2 Auto Scaling will allow the entire C5 instance family, which includes all C5a and C5n instance types. If you specify `m5a.*` , Amazon EC2 Auto Scaling will allow all the M5a instance types, but not the M5n instance types.\n\n> If you specify `AllowedInstanceTypes` , you can't specify `ExcludedInstanceTypes` . \n\nDefault: All instance types", "BareMetal": "Indicates whether bare metal instance types are included, excluded, or required.\n\nDefault: `excluded`", - "BaselineEbsBandwidthMbps": "The minimum and maximum baseline bandwidth performance for an instance type, in Mbps. For more information, see [Amazon EBS\u2013optimized instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-optimized.html) in the *Amazon EC2 User Guide for Linux Instances* .\n\nDefault: No minimum or maximum limits", + "BaselineEbsBandwidthMbps": "The minimum and maximum baseline bandwidth performance for an instance type, in Mbps. For more information, see [Amazon EBS\u2013optimized instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-optimized.html) in the *Amazon EC2 User Guide* .\n\nDefault: No minimum or maximum limits", "BaselinePerformanceFactors": "The baseline performance factors for the instance requirements.", - "BurstablePerformance": "Indicates whether burstable performance instance types are included, excluded, or required. For more information, see [Burstable performance instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/burstable-performance-instances.html) in the *Amazon EC2 User Guide for Linux Instances* .\n\nDefault: `excluded`", - "CpuManufacturers": "Lists which specific CPU manufacturers to include.\n\n- For instance types with Intel CPUs, specify `intel` .\n- For instance types with AMD CPUs, specify `amd` .\n- For instance types with AWS CPUs, specify `amazon-web-services` .\n\n> Don't confuse the CPU hardware manufacturer with the CPU hardware architecture. Instances will be launched with a compatible CPU architecture based on the Amazon Machine Image (AMI) that you specify in your launch template. \n\nDefault: Any manufacturer", + "BurstablePerformance": "Indicates whether burstable performance instance types are included, excluded, or required. For more information, see [Burstable performance instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/burstable-performance-instances.html) in the *Amazon EC2 User Guide* .\n\nDefault: `excluded`", + "CpuManufacturers": "Lists which specific CPU manufacturers to include.\n\n- For instance types with Intel CPUs, specify `intel` .\n- For instance types with AMD CPUs, specify `amd` .\n- For instance types with AWS CPUs, specify `amazon-web-services` .\n- For instance types with Apple CPUs, specify `apple` .\n\n> Don't confuse the CPU hardware manufacturer with the CPU hardware architecture. Instances will be launched with a compatible CPU architecture based on the Amazon Machine Image (AMI) that you specify in your launch template. \n\nDefault: Any manufacturer", "ExcludedInstanceTypes": "The instance types to exclude. You can use strings with one or more wild cards, represented by an asterisk ( `*` ), to exclude an instance family, type, size, or generation. The following are examples: `m5.8xlarge` , `c5*.*` , `m5a.*` , `r*` , `*3*` .\n\nFor example, if you specify `c5*` , you are excluding the entire C5 instance family, which includes all C5a and C5n instance types. If you specify `m5a.*` , Amazon EC2 Auto Scaling will exclude all the M5a instance types, but not the M5n instance types.\n\n> If you specify `ExcludedInstanceTypes` , you can't specify `AllowedInstanceTypes` . \n\nDefault: No excluded instance types", - "InstanceGenerations": "Indicates whether current or previous generation instance types are included.\n\n- For current generation instance types, specify `current` . The current generation includes EC2 instance types currently recommended for use. This typically includes the latest two to three generations in each instance family. For more information, see [Instance types](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html) in the *Amazon EC2 User Guide for Linux Instances* .\n- For previous generation instance types, specify `previous` .\n\nDefault: Any current or previous generation", - "LocalStorage": "Indicates whether instance types with instance store volumes are included, excluded, or required. For more information, see [Amazon EC2 instance store](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/InstanceStorage.html) in the *Amazon EC2 User Guide for Linux Instances* .\n\nDefault: `included`", + "InstanceGenerations": "Indicates whether current or previous generation instance types are included.\n\n- For current generation instance types, specify `current` . The current generation includes EC2 instance types currently recommended for use. This typically includes the latest two to three generations in each instance family. For more information, see [Instance types](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html) in the *Amazon EC2 User Guide* .\n- For previous generation instance types, specify `previous` .\n\nDefault: Any current or previous generation", + "LocalStorage": "Indicates whether instance types with instance store volumes are included, excluded, or required. For more information, see [Amazon EC2 instance store](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/InstanceStorage.html) in the *Amazon EC2 User Guide* .\n\nDefault: `included`", "LocalStorageTypes": "Indicates the type of local storage that is required.\n\n- For instance types with hard disk drive (HDD) storage, specify `hdd` .\n- For instance types with solid state drive (SSD) storage, specify `ssd` .\n\nDefault: Any local storage type", "MaxSpotPriceAsPercentageOfOptimalOnDemandPrice": "[Price protection] The price protection threshold for Spot Instances, as a percentage of an identified On-Demand price. The identified On-Demand price is the price of the lowest priced current generation C, M, or R instance type with your specified attributes. If no current generation C, M, or R instance type matches your attributes, then the identified price is from either the lowest priced current generation instance types or, failing that, the lowest priced previous generation instance types that match your attributes. When Amazon EC2 Auto Scaling selects instance types with your attributes, we will exclude instance types whose price exceeds your specified threshold.\n\nThe parameter accepts an integer, which Amazon EC2 Auto Scaling interprets as a percentage.\n\nIf you set `DesiredCapacityType` to `vcpu` or `memory-mib` , the price protection threshold is based on the per-vCPU or per-memory price instead of the per instance price.\n\n> Only one of `SpotMaxPricePercentageOverLowestPrice` or `MaxSpotPriceAsPercentageOfOptimalOnDemandPrice` can be specified. If you don't specify either, Amazon EC2 Auto Scaling will automatically apply optimal price protection to consistently select from a wide range of instance types. To indicate no price protection threshold for Spot Instances, meaning you want to consider all instance types that match your attributes, include one of these parameters and specify a high value, such as `999999` .", "MemoryGiBPerVCpu": "The minimum and maximum amount of memory per vCPU for an instance type, in GiB.\n\nDefault: No minimum or maximum limits", @@ -4136,7 +4198,7 @@ }, "AWS::AutoScaling::AutoScalingGroup LaunchTemplateOverrides": { "InstanceRequirements": "The instance requirements. Amazon EC2 Auto Scaling uses your specified requirements to identify instance types. Then, it uses your On-Demand and Spot allocation strategies to launch instances from these instance types.\n\nYou can specify up to four separate sets of instance requirements per Auto Scaling group. This is useful for provisioning instances from different Amazon Machine Images (AMIs) in the same Auto Scaling group. To do this, create the AMIs and create a new launch template for each AMI. Then, create a compatible set of instance requirements for each launch template.\n\n> If you specify `InstanceRequirements` , you can't specify `InstanceType` .", - "InstanceType": "The instance type, such as `m3.xlarge` . You must specify an instance type that is supported in your requested Region and Availability Zones. For more information, see [Instance types](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html) in the *Amazon EC2 User Guide for Linux Instances* .\n\nYou can specify up to 40 instance types per Auto Scaling group.", + "InstanceType": "The instance type, such as `m3.xlarge` . You must specify an instance type that is supported in your requested Region and Availability Zones. For more information, see [Instance types](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html) in the *Amazon EC2 User Guide* .\n\nYou can specify up to 40 instance types per Auto Scaling group.", "LaunchTemplateSpecification": "Provides a launch template for the specified instance type or set of instance requirements. For example, some instance types might require a launch template with a different AMI. If not provided, Amazon EC2 Auto Scaling uses the launch template that's specified in the `LaunchTemplate` definition. For more information, see [Specifying a different launch template for an instance type](https://docs.aws.amazon.com/autoscaling/ec2/userguide/ec2-auto-scaling-mixed-instances-groups-launch-template-overrides.html) in the *Amazon EC2 Auto Scaling User Guide* .\n\nYou can specify up to 20 launch templates per Auto Scaling group. The launch templates specified in the overrides and in the `LaunchTemplate` definition count towards this limit.", "WeightedCapacity": "If you provide a list of instance types to use, you can specify the number of capacity units provided by each instance type in terms of virtual CPUs, memory, storage, throughput, or other relative performance characteristic. When a Spot or On-Demand Instance is launched, the capacity units count toward the desired capacity. Amazon EC2 Auto Scaling launches instances until the desired capacity is totally fulfilled, even if this results in an overage. For example, if there are two units remaining to fulfill capacity, and Amazon EC2 Auto Scaling can only launch an instance with a `WeightedCapacity` of five units, the instance is launched, and the desired capacity is exceeded by three units. For more information, see [Configure instance weighting for Amazon EC2 Auto Scaling](https://docs.aws.amazon.com/autoscaling/ec2/userguide/ec2-auto-scaling-mixed-instances-groups-instance-weighting.html) in the *Amazon EC2 Auto Scaling User Guide* . Value must be in the range of 1-999.\n\nIf you specify a value for `WeightedCapacity` for one instance type, you must specify a value for `WeightedCapacity` for all of them.\n\n> Every Auto Scaling group has three size parameters ( `DesiredCapacity` , `MaxSize` , and `MinSize` ). Usually, you set these sizes based on a specific number of instances. However, if you configure a mixed instances policy that defines weights for the instance types, you must specify these sizes with the same units that you use for weighting instances." }, @@ -4204,21 +4266,21 @@ }, "AWS::AutoScaling::LaunchConfiguration": { "AssociatePublicIpAddress": "Specifies whether to assign a public IPv4 address to the group's instances. If the instance is launched into a default subnet, the default is to assign a public IPv4 address, unless you disabled the option to assign a public IPv4 address on the subnet. If the instance is launched into a nondefault subnet, the default is not to assign a public IPv4 address, unless you enabled the option to assign a public IPv4 address on the subnet.\n\nIf you specify `true` , each instance in the Auto Scaling group receives a unique public IPv4 address. For more information, see [Provide network connectivity for your Auto Scaling instances using Amazon VPC](https://docs.aws.amazon.com/autoscaling/ec2/userguide/asg-in-vpc.html) in the *Amazon EC2 Auto Scaling User Guide* .\n\nIf you specify this property, you must specify at least one subnet for `VPCZoneIdentifier` when you create your group.", - "BlockDeviceMappings": "The block device mapping entries that define the block devices to attach to the instances at launch. By default, the block devices specified in the block device mapping for the AMI are used. For more information, see [Block device mappings](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/block-device-mapping-concepts.html) in the *Amazon EC2 User Guide for Linux Instances* .", + "BlockDeviceMappings": "The block device mapping entries that define the block devices to attach to the instances at launch. By default, the block devices specified in the block device mapping for the AMI are used. For more information, see [Block device mappings](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/block-device-mapping-concepts.html) in the *Amazon EC2 User Guide* .", "ClassicLinkVPCId": "Available for backward compatibility.", "ClassicLinkVPCSecurityGroups": "Available for backward compatibility.", - "EbsOptimized": "Specifies whether the launch configuration is optimized for EBS I/O ( `true` ) or not ( `false` ). The optimization provides dedicated throughput to Amazon EBS and an optimized configuration stack to provide optimal I/O performance. This optimization is not available with all instance types. Additional fees are incurred when you enable EBS optimization for an instance type that is not EBS-optimized by default. For more information, see [Amazon EBS-optimized instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-optimized.html) in the *Amazon EC2 User Guide for Linux Instances* .\n\nThe default value is `false` .", + "EbsOptimized": "Specifies whether the launch configuration is optimized for EBS I/O ( `true` ) or not ( `false` ). The optimization provides dedicated throughput to Amazon EBS and an optimized configuration stack to provide optimal I/O performance. This optimization is not available with all instance types. Additional fees are incurred when you enable EBS optimization for an instance type that is not EBS-optimized by default. For more information, see [Amazon EBS-optimized instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-optimized.html) in the *Amazon EC2 User Guide* .\n\nThe default value is `false` .", "IamInstanceProfile": "The name or the Amazon Resource Name (ARN) of the instance profile associated with the IAM role for the instance. The instance profile contains the IAM role. For more information, see [IAM role for applications that run on Amazon EC2 instances](https://docs.aws.amazon.com/autoscaling/ec2/userguide/us-iam-role.html) in the *Amazon EC2 Auto Scaling User Guide* .", - "ImageId": "The ID of the Amazon Machine Image (AMI) that was assigned during registration. For more information, see [Find a Linux AMI](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/finding-an-ami.html) in the *Amazon EC2 User Guide for Linux Instances* .\n\nIf you specify `InstanceId` , an `ImageId` is not required.", + "ImageId": "The ID of the Amazon Machine Image (AMI) that was assigned during registration. For more information, see [Find a Linux AMI](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/finding-an-ami.html) in the *Amazon EC2 User Guide* .\n\nIf you specify `InstanceId` , an `ImageId` is not required.", "InstanceId": "The ID of the Amazon EC2 instance to use to create the launch configuration. When you use an instance to create a launch configuration, all properties are derived from the instance with the exception of `BlockDeviceMapping` and `AssociatePublicIpAddress` . You can override any properties from the instance by specifying them in the launch configuration.", "InstanceMonitoring": "Controls whether instances in this group are launched with detailed ( `true` ) or basic ( `false` ) monitoring.\n\nThe default value is `true` (enabled).\n\n> When detailed monitoring is enabled, Amazon CloudWatch generates metrics every minute and your account is charged a fee. When you disable detailed monitoring, CloudWatch generates metrics every 5 minutes. For more information, see [Configure monitoring for Auto Scaling instances](https://docs.aws.amazon.com/autoscaling/latest/userguide/enable-as-instance-metrics.html) in the *Amazon EC2 Auto Scaling User Guide* .", - "InstanceType": "Specifies the instance type of the EC2 instance. For information about available instance types, see [Available instance types](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html#AvailableInstanceTypes) in the *Amazon EC2 User Guide for Linux Instances* .\n\nIf you specify `InstanceId` , an `InstanceType` is not required.", - "KernelId": "The ID of the kernel associated with the AMI.\n\n> We recommend that you use PV-GRUB instead of kernels and RAM disks. For more information, see [User provided kernels](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/UserProvidedKernels.html) in the *Amazon EC2 User Guide for Linux Instances* .", - "KeyName": "The name of the key pair. For more information, see [Amazon EC2 key pairs and Amazon EC2 instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html) in the *Amazon EC2 User Guide for Linux Instances* .", + "InstanceType": "Specifies the instance type of the EC2 instance. For information about available instance types, see [Available instance types](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html#AvailableInstanceTypes) in the *Amazon EC2 User Guide* .\n\nIf you specify `InstanceId` , an `InstanceType` is not required.", + "KernelId": "The ID of the kernel associated with the AMI.\n\n> We recommend that you use PV-GRUB instead of kernels and RAM disks. For more information, see [User provided kernels](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/UserProvidedKernels.html) in the *Amazon EC2 User Guide* .", + "KeyName": "The name of the key pair. For more information, see [Amazon EC2 key pairs and Amazon EC2 instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html) in the *Amazon EC2 User Guide* .", "LaunchConfigurationName": "The name of the launch configuration. This name must be unique per Region per account.", "MetadataOptions": "The metadata options for the instances. For more information, see [Configure the instance metadata options](https://docs.aws.amazon.com/autoscaling/ec2/userguide/create-launch-config.html#launch-configurations-imds) in the *Amazon EC2 Auto Scaling User Guide* .", "PlacementTenancy": "The tenancy of the instance, either `default` or `dedicated` . An instance with `dedicated` tenancy runs on isolated, single-tenant hardware and can only be launched into a VPC. To launch dedicated instances into a shared tenancy VPC (a VPC with the instance placement tenancy attribute set to `default` ), you must set the value of this property to `dedicated` .\n\nIf you specify `PlacementTenancy` , you must specify at least one subnet for `VPCZoneIdentifier` when you create your group.\n\nValid values: `default` | `dedicated`", - "RamDiskId": "The ID of the RAM disk to select.\n\n> We recommend that you use PV-GRUB instead of kernels and RAM disks. For more information, see [User provided kernels](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/UserProvidedKernels.html) in the *Amazon EC2 User Guide for Linux Instances* .", + "RamDiskId": "The ID of the RAM disk to select.\n\n> We recommend that you use PV-GRUB instead of kernels and RAM disks. For more information, see [User provided kernels](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/UserProvidedKernels.html) in the *Amazon EC2 User Guide* .", "SecurityGroups": "A list that contains the security groups to assign to the instances in the Auto Scaling group. The list can contain both the IDs of existing security groups and references to [SecurityGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html) resources created in the template.\n\nFor more information, see [Control traffic to resources using security groups](https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html) in the *Amazon Virtual Private Cloud User Guide* .", "SpotPrice": "The maximum hourly price to be paid for any Spot Instance launched to fulfill the request. Spot Instances are launched when the price you specify exceeds the current Spot price. For more information, see [Request Spot Instances for fault-tolerant and flexible applications](https://docs.aws.amazon.com/autoscaling/ec2/userguide/launch-template-spot-instances.html) in the *Amazon EC2 Auto Scaling User Guide* .\n\nValid Range: Minimum value of 0.001\n\n> When you change your maximum price by creating a new launch configuration, running instances will continue to run as long as the maximum price for those running instances is higher than the current Spot price.", "UserData": "The Base64-encoded user data to make available to the launched EC2 instances. For more information, see [Instance metadata and user data](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html) in the *Amazon EC2 User Guide for Linux Instances* ." @@ -4233,7 +4295,7 @@ "VolumeType": "The volume type. For more information, see [Amazon EBS volume types](https://docs.aws.amazon.com/ebs/latest/userguide/ebs-volume-types.html) in the *Amazon EBS User Guide* .\n\nValid values: `standard` | `io1` | `gp2` | `st1` | `sc1` | `gp3`" }, "AWS::AutoScaling::LaunchConfiguration BlockDeviceMapping": { - "DeviceName": "The device name assigned to the volume (for example, `/dev/sdh` or `xvdh` ). For more information, see [Device naming on Linux instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/device_naming.html) in the *Amazon EC2 User Guide for Linux Instances* .\n\n> To define a block device mapping, set the device name and exactly one of the following properties: `Ebs` , `NoDevice` , or `VirtualName` .", + "DeviceName": "The device name assigned to the volume (for example, `/dev/sdh` or `xvdh` ). For more information, see [Device naming on Linux instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/device_naming.html) in the *Amazon EC2 User Guide* .\n\n> To define a block device mapping, set the device name and exactly one of the following properties: `Ebs` , `NoDevice` , or `VirtualName` .", "Ebs": "Information to attach an EBS volume to an instance at launch.", "NoDevice": "Setting this value to `true` prevents a volume that is included in the block device mapping of the AMI from being mapped to the specified device name at launch.\n\nIf `NoDevice` is `true` for the root device, instances might fail the EC2 health check. In that case, Amazon EC2 Auto Scaling launches replacement instances.", "VirtualName": "The name of the instance store volume (virtual device) to attach to an instance at launch. The name must be in the form ephemeral *X* where *X* is a number starting from zero (0), for example, `ephemeral0` ." @@ -4631,7 +4693,7 @@ "CompletionWindowMinutes": "A value in minutes after a backup job is successfully started before it must be completed or it is canceled by AWS Backup .", "CopyActions": "An array of CopyAction objects, which contains the details of the copy operation.", "EnableContinuousBackup": "Enables continuous backup and point-in-time restores (PITR).", - "IndexActions": "", + "IndexActions": "There can up to one IndexAction in each BackupRule, as each backup can have 0 or 1 backup index associated with it.\n\nWithin the array is ResourceTypes. Only 1 resource type will be accepted for each BackupRule. Valid values:\n\n- `EBS` for Amazon Elastic Block Store\n- `S3` for Amazon Simple Storage Service (Amazon S3)", "Lifecycle": "The lifecycle defines when a protected resource is transitioned to cold storage and when it expires. AWS Backup transitions and expires backups automatically according to the lifecycle that you define.", "RecoveryPointTags": "The tags to assign to the resources.", "RuleName": "A display name for a backup rule.", @@ -4645,11 +4707,11 @@ "Lifecycle": "Defines when a protected resource is transitioned to cold storage and when it expires. AWS Backup transitions and expires backups automatically according to the lifecycle that you define. If you do not specify a lifecycle, AWS Backup applies the lifecycle policy of the source backup to the destination backup.\n\nBackups transitioned to cold storage must be stored in cold storage for a minimum of 90 days." }, "AWS::Backup::BackupPlan IndexActionsResourceType": { - "ResourceTypes": "" + "ResourceTypes": "0 or 1 index action will be accepted for each BackupRule.\n\nValid values:\n\n- `EBS` for Amazon Elastic Block Store\n- `S3` for Amazon Simple Storage Service (Amazon S3)" }, "AWS::Backup::BackupPlan LifecycleResourceType": { - "DeleteAfterDays": "Specifies the number of days after creation that a recovery point is deleted. Must be greater than `MoveToColdStorageAfterDays` .", - "MoveToColdStorageAfterDays": "Specifies the number of days after creation that a recovery point is moved to cold storage.", + "DeleteAfterDays": "The number of days after creation that a recovery point is deleted. This value must be at least 90 days after the number of days specified in `MoveToColdStorageAfterDays` .", + "MoveToColdStorageAfterDays": "The number of days after creation that a recovery point is moved to cold storage.", "OptInToArchiveForSupportedResources": "If the value is true, your backup plan transitions supported resources to archive (cold) storage tier in accordance with your lifecycle settings." }, "AWS::Backup::BackupSelection": { @@ -5380,6 +5442,9 @@ "State": "Whether generating categorical data from audio is enabled.", "Types": "The types of data to generate." }, + "AWS::Bedrock::DataAutomationProject AudioOverrideConfiguration": { + "ModalityProcessing": "Sets modality processing for audio files. All modalities are enabled by default." + }, "AWS::Bedrock::DataAutomationProject AudioStandardExtraction": { "Category": "Settings for generating data from audio." }, @@ -5416,6 +5481,7 @@ "Types": "The types of output text to generate." }, "AWS::Bedrock::DataAutomationProject DocumentOverrideConfiguration": { + "ModalityProcessing": "Sets modality processing for document files. All modalities are enabled by default.", "Splitter": "Whether document splitter is enabled for a project." }, "AWS::Bedrock::DataAutomationProject DocumentStandardExtraction": { @@ -5437,6 +5503,9 @@ "State": "Whether generating categorical data from images is enabled.", "Types": "The types of data to generate." }, + "AWS::Bedrock::DataAutomationProject ImageOverrideConfiguration": { + "ModalityProcessing": "Sets modality processing for image files. All modalities are enabled by default." + }, "AWS::Bedrock::DataAutomationProject ImageStandardExtraction": { "BoundingBox": "Settings for generating bounding boxes.", "Category": "Settings for generating categorical data." @@ -5449,8 +5518,21 @@ "Extraction": "Settings for populating data fields that describe the image.", "GenerativeField": "Whether to generate descriptions of the data." }, + "AWS::Bedrock::DataAutomationProject ModalityProcessingConfiguration": { + "State": "Stores the state of the modality for your project, set to either enabled or disabled" + }, + "AWS::Bedrock::DataAutomationProject ModalityRoutingConfiguration": { + "jpeg": "Sets whether JPEG files are routed to document or image processing.", + "mov": "Sets whether MOV files are routed to audio or video processing.", + "mp4": "Sets whether MP4 files are routed to audio or video processing.", + "png": "Sets whether PNG files are routed to document or image processing." + }, "AWS::Bedrock::DataAutomationProject OverrideConfiguration": { - "Document": "Additional settings for a project." + "Audio": "This element declares whether your project will process audio files.", + "Document": "Additional settings for a project.", + "Image": "This element declares whether your project will process image files.", + "ModalityRouting": "Lets you set which modalities certain file types are processed as.", + "Video": "This element declares whether your project will process video files." }, "AWS::Bedrock::DataAutomationProject SplitterConfiguration": { "State": "Whether document splitter is enabled for a project." @@ -5472,6 +5554,9 @@ "State": "Whether generating categorical data from video is enabled.", "Types": "The types of data to generate." }, + "AWS::Bedrock::DataAutomationProject VideoOverrideConfiguration": { + "ModalityProcessing": "Sets modality processing for video files. All modalities are enabled by default." + }, "AWS::Bedrock::DataAutomationProject VideoStandardExtraction": { "BoundingBox": "Settings for generating bounding boxes.", "Category": "Settings for generating categorical data." @@ -5679,6 +5764,9 @@ "AWS::Bedrock::Flow ConditionFlowNodeConfiguration": { "Conditions": "An array of conditions. Each member contains the name of a condition and an expression that defines the condition." }, + "AWS::Bedrock::Flow FieldForReranking": { + "FieldName": "The name of a metadata field to include in or exclude from consideration when reranking." + }, "AWS::Bedrock::Flow FlowCondition": { "Expression": "Defines the condition. You must refer to at least one of the inputs in the condition. For more information, expand the Condition node section in [Node types in prompt flows](https://docs.aws.amazon.com/bedrock/latest/userguide/flows-how-it-works.html#flows-nodes) .", "Name": "A name for the condition that you can reference." @@ -5715,21 +5803,26 @@ "AWS::Bedrock::Flow FlowNodeConfiguration": { "Agent": "Contains configurations for an agent node in your flow. Invokes an alias of an agent and returns the response.", "Collector": "Contains configurations for a collector node in your flow. Collects an iteration of inputs and consolidates them into an array of outputs.", - "Condition": "Contains configurations for a Condition node in your flow. Defines conditions that lead to different branches of the flow.", + "Condition": "Contains configurations for a condition node in your flow. Defines conditions that lead to different branches of the flow.", + "InlineCode": "Contains configurations for an inline code node in your flow. Inline code nodes let you write and execute code directly within your flow, enabling data transformations, custom logic, and integrations without needing an external Lambda function.", "Input": "Contains configurations for an input flow node in your flow. The first node in the flow. `inputs` can't be specified for this node.", "Iterator": "Contains configurations for an iterator node in your flow. Takes an input that is an array and iteratively sends each item of the array as an output to the following node. The size of the array is also returned in the output.\n\nThe output flow node at the end of the flow iteration will return a response for each member of the array. To return only one response, you can include a collector node downstream from the iterator node.", "KnowledgeBase": "Contains configurations for a knowledge base node in your flow. Queries a knowledge base and returns the retrieved results or generated response.", "LambdaFunction": "Contains configurations for a Lambda function node in your flow. Invokes an AWS Lambda function.", "Lex": "Contains configurations for a Lex node in your flow. Invokes an Amazon Lex bot to identify the intent of the input and return the intent as the output.", + "Loop": "Contains configurations for a DoWhile loop in your flow.", + "LoopController": "Contains controller node configurations for a DoWhile loop in your flow.", + "LoopInput": "Contains input node configurations for a DoWhile loop in your flow.", "Output": "Contains configurations for an output flow node in your flow. The last node in the flow. `outputs` can't be specified for this node.", "Prompt": "Contains configurations for a prompt node in your flow. Runs a prompt and generates the model response as the output. You can use a prompt from Prompt management or you can configure one in this node.", - "Retrieval": "Contains configurations for a Retrieval node in your flow. Retrieves data from an Amazon S3 location and returns it as the output.", - "Storage": "Contains configurations for a Storage node in your flow. Stores an input in an Amazon S3 location." + "Retrieval": "Contains configurations for a retrieval node in your flow. Retrieves data from an Amazon S3 location and returns it as the output.", + "Storage": "Contains configurations for a storage node in your flow. Stores an input in an Amazon S3 location." }, "AWS::Bedrock::Flow FlowNodeInput": { + "Category": "Specifies how input data flows between iterations in a DoWhile loop.\n\n- `LoopCondition` - Controls whether the loop continues by evaluating condition expressions against the input data. Use this category to define the condition that determines if the loop should continue.\n- `ReturnValueToLoopStart` - Defines data to pass back to the start of the loop's next iteration. Use this category for variables that you want to update for each loop iteration.\n- `ExitLoop` - Defines the value that's available once the loop ends. Use this category to expose loop results to nodes outside the loop.", "Expression": "An expression that formats the input for the node. For an explanation of how to create expressions, see [Expressions in Prompt flows in Amazon Bedrock](https://docs.aws.amazon.com/bedrock/latest/userguide/flows-expressions.html) .", - "Name": "A name for the input that you can reference.", - "Type": "The data type of the input. If the input doesn't match this type at runtime, a validation error will be thrown." + "Name": "Specifies a name for the input that you can reference.", + "Type": "Specifies the data type of the input. If the input doesn't match this type at runtime, a validation error will be thrown." }, "AWS::Bedrock::Flow FlowNodeOutput": { "Name": "A name for the output that you can reference.", @@ -5742,10 +5835,28 @@ "GuardrailIdentifier": "The identifier for the guardrail.", "GuardrailVersion": "The version of the guardrail." }, + "AWS::Bedrock::Flow InlineCodeFlowNodeConfiguration": { + "Code": "The code that's executed in your inline code node. The code can access input data from previous nodes in the flow, perform operations on that data, and produce output that can be used by other nodes in your flow.\n\nThe code must be valid in the programming `language` that you specify.", + "Language": "The programming language used by your inline code node.\n\nThe code must be valid in the programming `language` that you specify. Currently, only Python 3 ( `Python_3` ) is supported." + }, "AWS::Bedrock::Flow KnowledgeBaseFlowNodeConfiguration": { "GuardrailConfiguration": "Contains configurations for a guardrail to apply during query and response generation for the knowledge base in this configuration.", + "InferenceConfiguration": "Contains inference configurations for the prompt.", "KnowledgeBaseId": "The unique identifier of the knowledge base to query.", - "ModelId": "The unique identifier of the model or [inference profile](https://docs.aws.amazon.com/bedrock/latest/userguide/cross-region-inference.html) to use to generate a response from the query results. Omit this field if you want to return the retrieved results as an array." + "ModelId": "The unique identifier of the model or [inference profile](https://docs.aws.amazon.com/bedrock/latest/userguide/cross-region-inference.html) to use to generate a response from the query results. Omit this field if you want to return the retrieved results as an array.", + "NumberOfResults": "The number of results to retrieve from the knowledge base.", + "OrchestrationConfiguration": "The configuration for orchestrating the retrieval and generation process in the knowledge base node.", + "PromptTemplate": "A custom prompt template to use with the knowledge base for generating responses.", + "RerankingConfiguration": "The configuration for reranking the retrieved results from the knowledge base to improve relevance." + }, + "AWS::Bedrock::Flow KnowledgeBaseOrchestrationConfiguration": { + "AdditionalModelRequestFields": "The additional model-specific request parameters as key-value pairs to be included in the request to the foundation model.", + "InferenceConfig": "Contains inference configurations for the prompt.", + "PerformanceConfig": "The performance configuration options for the knowledge base retrieval and generation process.", + "PromptTemplate": "A custom prompt template for orchestrating the retrieval and generation process." + }, + "AWS::Bedrock::Flow KnowledgeBasePromptTemplate": { + "TextPromptTemplate": "The text of the prompt template." }, "AWS::Bedrock::Flow LambdaFunctionFlowNodeConfiguration": { "LambdaArn": "The Amazon Resource Name (ARN) of the Lambda function to invoke." @@ -5754,6 +5865,20 @@ "BotAliasArn": "The Amazon Resource Name (ARN) of the Amazon Lex bot alias to invoke.", "LocaleId": "The Region to invoke the Amazon Lex bot in." }, + "AWS::Bedrock::Flow LoopControllerFlowNodeConfiguration": { + "ContinueCondition": "Specifies the condition that determines when the flow exits the DoWhile loop. The loop executes until this condition evaluates to true.", + "MaxIterations": "Specifies the maximum number of times the DoWhile loop can iterate before the flow exits the loop." + }, + "AWS::Bedrock::Flow LoopFlowNodeConfiguration": { + "Definition": "The definition of the DoWhile loop nodes and connections between nodes in the flow." + }, + "AWS::Bedrock::Flow MetadataConfigurationForReranking": { + "SelectionMode": "Specifies whether to consider all metadata when reranking, or only the metadata that you select. If you specify `SELECTIVE` , include the `selectiveModeConfiguration` field.", + "SelectiveModeConfiguration": "Contains configurations for the metadata fields to include or exclude when considering reranking." + }, + "AWS::Bedrock::Flow PerformanceConfiguration": { + "Latency": "To use a latency-optimized version of the model, set to `optimized` ." + }, "AWS::Bedrock::Flow PromptFlowNodeConfiguration": { "GuardrailConfiguration": "Contains configurations for a guardrail to apply to the prompt in this node and the response generated from it.", "SourceConfiguration": "Specifies whether the prompt is from Prompt management or defined inline." @@ -5786,6 +5911,10 @@ "AWS::Bedrock::Flow PromptTemplateConfiguration": { "Text": "Contains configurations for the text in a message for a prompt." }, + "AWS::Bedrock::Flow RerankingMetadataSelectiveModeConfiguration": { + "FieldsToExclude": "An array of objects, each of which specifies a metadata field to exclude from consideration when reranking.", + "FieldsToInclude": "An array of objects, each of which specifies a metadata field to include in consideration when reranking. The remaining metadata fields are ignored." + }, "AWS::Bedrock::Flow RetrievalFlowNodeConfiguration": { "ServiceConfiguration": "Contains configurations for the service to use for retrieving data to return as the output from the node." }, @@ -5813,13 +5942,31 @@ "InputVariables": "An array of the variables in the prompt template.", "Text": "The message for the prompt." }, + "AWS::Bedrock::Flow VectorSearchBedrockRerankingConfiguration": { + "MetadataConfiguration": "Contains configurations for the metadata to use in reranking.", + "ModelConfiguration": "Contains configurations for the reranker model.", + "NumberOfRerankedResults": "The number of results to return after reranking." + }, + "AWS::Bedrock::Flow VectorSearchBedrockRerankingModelConfiguration": { + "AdditionalModelRequestFields": "A JSON object whose keys are request fields for the model and whose values are values for those fields.", + "ModelArn": "The ARN of the reranker model to use." + }, + "AWS::Bedrock::Flow VectorSearchRerankingConfiguration": { + "BedrockRerankingConfiguration": "Contains configurations for an Amazon Bedrock reranker model.", + "Type": "The type of reranker model." + }, "AWS::Bedrock::FlowAlias": { + "ConcurrencyConfiguration": "The configuration that specifies how nodes in the flow are executed concurrently.", "Description": "A description of the alias.", "FlowArn": "The Amazon Resource Name (ARN) of the alias.", "Name": "The name of the alias.", "RoutingConfiguration": "A list of configurations about the versions that the alias maps to. Currently, you can only specify one.", "Tags": "Metadata that you can assign to a resource as key-value pairs. For more information, see the following resources:\n\n- [Tag naming limits and requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions)\n- [Tagging best practices](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-best-practices)" }, + "AWS::Bedrock::FlowAlias FlowAliasConcurrencyConfiguration": { + "MaxConcurrency": "The maximum number of nodes that can be executed concurrently in the flow.", + "Type": "The type of concurrency to use for parallel node execution. Specify one of the following options:\n\n- `Automatic` - Amazon Bedrock determines which nodes can be executed in parallel based on the flow definition and its dependencies.\n- `Manual` - You specify which nodes can be executed in parallel." + }, "AWS::Bedrock::FlowAlias FlowAliasRoutingConfigurationListItem": { "FlowVersion": "The version that the alias maps to." }, @@ -5833,6 +5980,9 @@ "AWS::Bedrock::FlowVersion ConditionFlowNodeConfiguration": { "Conditions": "An array of conditions. Each member contains the name of a condition and an expression that defines the condition." }, + "AWS::Bedrock::FlowVersion FieldForReranking": { + "FieldName": "The name of a metadata field to include in or exclude from consideration when reranking." + }, "AWS::Bedrock::FlowVersion FlowCondition": { "Expression": "Defines the condition. You must refer to at least one of the inputs in the condition. For more information, expand the Condition node section in [Node types in prompt flows](https://docs.aws.amazon.com/bedrock/latest/userguide/flows-how-it-works.html#flows-nodes) .", "Name": "A name for the condition that you can reference." @@ -5869,21 +6019,25 @@ "AWS::Bedrock::FlowVersion FlowNodeConfiguration": { "Agent": "Contains configurations for an agent node in your flow. Invokes an alias of an agent and returns the response.", "Collector": "Contains configurations for a collector node in your flow. Collects an iteration of inputs and consolidates them into an array of outputs.", - "Condition": "Contains configurations for a Condition node in your flow. Defines conditions that lead to different branches of the flow.", + "Condition": "Contains configurations for a condition node in your flow. Defines conditions that lead to different branches of the flow.", + "InlineCode": "Contains configurations for an inline code node in your flow. Inline code nodes let you write and execute code directly within your flow, enabling data transformations, custom logic, and integrations without needing an external Lambda function.", "Input": "Contains configurations for an input flow node in your flow. The first node in the flow. `inputs` can't be specified for this node.", "Iterator": "Contains configurations for an iterator node in your flow. Takes an input that is an array and iteratively sends each item of the array as an output to the following node. The size of the array is also returned in the output.\n\nThe output flow node at the end of the flow iteration will return a response for each member of the array. To return only one response, you can include a collector node downstream from the iterator node.", "KnowledgeBase": "Contains configurations for a knowledge base node in your flow. Queries a knowledge base and returns the retrieved results or generated response.", "LambdaFunction": "Contains configurations for a Lambda function node in your flow. Invokes an AWS Lambda function.", "Lex": "Contains configurations for a Lex node in your flow. Invokes an Amazon Lex bot to identify the intent of the input and return the intent as the output.", + "Loop": "Contains configurations for a DoWhile loop in your flow.", + "LoopController": "Contains controller node configurations for a DoWhile loop in your flow.", + "LoopInput": "Contains input node configurations for a DoWhile loop in your flow.", "Output": "Contains configurations for an output flow node in your flow. The last node in the flow. `outputs` can't be specified for this node.", "Prompt": "Contains configurations for a prompt node in your flow. Runs a prompt and generates the model response as the output. You can use a prompt from Prompt management or you can configure one in this node.", - "Retrieval": "Contains configurations for a Retrieval node in your flow. Retrieves data from an Amazon S3 location and returns it as the output.", - "Storage": "Contains configurations for a Storage node in your flow. Stores an input in an Amazon S3 location." + "Retrieval": "Contains configurations for a retrieval node in your flow. Retrieves data from an Amazon S3 location and returns it as the output.", + "Storage": "Contains configurations for a storage node in your flow. Stores an input in an Amazon S3 location." }, "AWS::Bedrock::FlowVersion FlowNodeInput": { "Expression": "An expression that formats the input for the node. For an explanation of how to create expressions, see [Expressions in Prompt flows in Amazon Bedrock](https://docs.aws.amazon.com/bedrock/latest/userguide/flows-expressions.html) .", - "Name": "A name for the input that you can reference.", - "Type": "The data type of the input. If the input doesn't match this type at runtime, a validation error will be thrown." + "Name": "Specifies a name for the input that you can reference.", + "Type": "Specifies the data type of the input. If the input doesn't match this type at runtime, a validation error will be thrown." }, "AWS::Bedrock::FlowVersion FlowNodeOutput": { "Name": "A name for the output that you can reference.", @@ -5893,10 +6047,28 @@ "GuardrailIdentifier": "The identifier for the guardrail.", "GuardrailVersion": "The version of the guardrail." }, + "AWS::Bedrock::FlowVersion InlineCodeFlowNodeConfiguration": { + "Code": "The code that's executed in your inline code node. The code can access input data from previous nodes in the flow, perform operations on that data, and produce output that can be used by other nodes in your flow.\n\nThe code must be valid in the programming `language` that you specify.", + "Language": "The programming language used by your inline code node.\n\nThe code must be valid in the programming `language` that you specify. Currently, only Python 3 ( `Python_3` ) is supported." + }, "AWS::Bedrock::FlowVersion KnowledgeBaseFlowNodeConfiguration": { "GuardrailConfiguration": "Contains configurations for a guardrail to apply during query and response generation for the knowledge base in this configuration.", + "InferenceConfiguration": "Contains inference configurations for the prompt.", "KnowledgeBaseId": "The unique identifier of the knowledge base to query.", - "ModelId": "The unique identifier of the model or [inference profile](https://docs.aws.amazon.com/bedrock/latest/userguide/cross-region-inference.html) to use to generate a response from the query results. Omit this field if you want to return the retrieved results as an array." + "ModelId": "The unique identifier of the model or [inference profile](https://docs.aws.amazon.com/bedrock/latest/userguide/cross-region-inference.html) to use to generate a response from the query results. Omit this field if you want to return the retrieved results as an array.", + "NumberOfResults": "The number of results to retrieve from the knowledge base.", + "OrchestrationConfiguration": "The configuration for orchestrating the retrieval and generation process in the knowledge base node.", + "PromptTemplate": "A custom prompt template to use with the knowledge base for generating responses.", + "RerankingConfiguration": "The configuration for reranking the retrieved results from the knowledge base to improve relevance." + }, + "AWS::Bedrock::FlowVersion KnowledgeBaseOrchestrationConfiguration": { + "AdditionalModelRequestFields": "The additional model-specific request parameters as key-value pairs to be included in the request to the foundation model.", + "InferenceConfig": "Contains inference configurations for the prompt.", + "PerformanceConfig": "The performance configuration options for the knowledge base retrieval and generation process.", + "PromptTemplate": "A custom prompt template for orchestrating the retrieval and generation process." + }, + "AWS::Bedrock::FlowVersion KnowledgeBasePromptTemplate": { + "TextPromptTemplate": "The text of the prompt template." }, "AWS::Bedrock::FlowVersion LambdaFunctionFlowNodeConfiguration": { "LambdaArn": "The Amazon Resource Name (ARN) of the Lambda function to invoke." @@ -5905,6 +6077,20 @@ "BotAliasArn": "The Amazon Resource Name (ARN) of the Amazon Lex bot alias to invoke.", "LocaleId": "The Region to invoke the Amazon Lex bot in." }, + "AWS::Bedrock::FlowVersion LoopControllerFlowNodeConfiguration": { + "ContinueCondition": "Specifies the condition that determines when the flow exits the DoWhile loop. The loop executes until this condition evaluates to true.", + "MaxIterations": "Specifies the maximum number of times the DoWhile loop can iterate before the flow exits the loop." + }, + "AWS::Bedrock::FlowVersion LoopFlowNodeConfiguration": { + "Definition": "The definition of the DoWhile loop nodes and connections between nodes in the flow." + }, + "AWS::Bedrock::FlowVersion MetadataConfigurationForReranking": { + "SelectionMode": "Specifies whether to consider all metadata when reranking, or only the metadata that you select. If you specify `SELECTIVE` , include the `selectiveModeConfiguration` field.", + "SelectiveModeConfiguration": "Contains configurations for the metadata fields to include or exclude when considering reranking." + }, + "AWS::Bedrock::FlowVersion PerformanceConfiguration": { + "Latency": "To use a latency-optimized version of the model, set to `optimized` ." + }, "AWS::Bedrock::FlowVersion PromptFlowNodeConfiguration": { "GuardrailConfiguration": "Contains configurations for a guardrail to apply to the prompt in this node and the response generated from it.", "SourceConfiguration": "Specifies whether the prompt is from Prompt management or defined inline." @@ -5937,6 +6123,10 @@ "AWS::Bedrock::FlowVersion PromptTemplateConfiguration": { "Text": "Contains configurations for the text in a message for a prompt." }, + "AWS::Bedrock::FlowVersion RerankingMetadataSelectiveModeConfiguration": { + "FieldsToExclude": "An array of objects, each of which specifies a metadata field to exclude from consideration when reranking.", + "FieldsToInclude": "An array of objects, each of which specifies a metadata field to include in consideration when reranking. The remaining metadata fields are ignored." + }, "AWS::Bedrock::FlowVersion RetrievalFlowNodeConfiguration": { "ServiceConfiguration": "Contains configurations for the service to use for retrieving data to return as the output from the node." }, @@ -5959,6 +6149,19 @@ "InputVariables": "An array of the variables in the prompt template.", "Text": "The message for the prompt." }, + "AWS::Bedrock::FlowVersion VectorSearchBedrockRerankingConfiguration": { + "MetadataConfiguration": "Contains configurations for the metadata to use in reranking.", + "ModelConfiguration": "Contains configurations for the reranker model.", + "NumberOfRerankedResults": "The number of results to return after reranking." + }, + "AWS::Bedrock::FlowVersion VectorSearchBedrockRerankingModelConfiguration": { + "AdditionalModelRequestFields": "A JSON object whose keys are request fields for the model and whose values are values for those fields.", + "ModelArn": "The ARN of the reranker model to use." + }, + "AWS::Bedrock::FlowVersion VectorSearchRerankingConfiguration": { + "BedrockRerankingConfiguration": "Contains configurations for an Amazon Bedrock reranker model.", + "Type": "The type of reranker model." + }, "AWS::Bedrock::Guardrail": { "BlockedInputMessaging": "The message to return when the guardrail blocks a prompt.", "BlockedOutputsMessaging": "The message to return when the guardrail blocks a model response.", @@ -6056,6 +6259,24 @@ "Description": "A description of the guardrail version.", "GuardrailIdentifier": "The unique identifier of the guardrail. This can be an ID or the ARN." }, + "AWS::Bedrock::IntelligentPromptRouter": { + "Description": "An optional description of the prompt router to help identify its purpose.", + "FallbackModel": "The default model to use when the routing criteria is not met.", + "Models": "A list of foundation models that the prompt router can route requests to. At least one model must be specified.", + "PromptRouterName": "The name of the prompt router. The name must be unique within your AWS account in the current region.", + "RoutingCriteria": "Routing criteria for a prompt router.", + "Tags": "An array of key-value pairs to apply to this resource as tags. You can use tags to categorize and manage your AWS resources." + }, + "AWS::Bedrock::IntelligentPromptRouter PromptRouterTargetModel": { + "ModelArn": "The target model's ARN." + }, + "AWS::Bedrock::IntelligentPromptRouter RoutingCriteria": { + "ResponseQualityDifference": "The criteria's response quality difference." + }, + "AWS::Bedrock::IntelligentPromptRouter Tag": { + "Key": "The tag's key.", + "Value": "The value associated with a tag." + }, "AWS::Bedrock::KnowledgeBase": { "Description": "The description of the knowledge base associated with the inline agent.", "KnowledgeBaseConfiguration": "Contains details about the embeddings configuration of the knowledge base.", @@ -6531,10 +6752,17 @@ "BudgetType": "Specifies whether this budget tracks costs, usage, RI utilization, RI coverage, Savings Plans utilization, or Savings Plans coverage.", "CostFilters": "The cost filters, such as `Region` , `Service` , `LinkedAccount` , `Tag` , or `CostCategory` , that are applied to a budget.\n\nAWS Budgets supports the following services as a `Service` filter for RI budgets:\n\n- Amazon EC2\n- Amazon Redshift\n- Amazon Relational Database Service\n- Amazon ElastiCache\n- Amazon OpenSearch Service", "CostTypes": "The types of costs that are included in this `COST` budget.\n\n`USAGE` , `RI_UTILIZATION` , `RI_COVERAGE` , `SAVINGS_PLANS_UTILIZATION` , and `SAVINGS_PLANS_COVERAGE` budgets do not have `CostTypes` .", + "FilterExpression": "", + "Metrics": "", "PlannedBudgetLimits": "A map containing multiple `BudgetLimit` , including current or future limits.\n\n`PlannedBudgetLimits` is available for cost or usage budget and supports both monthly and quarterly `TimeUnit` .\n\nFor monthly budgets, provide 12 months of `PlannedBudgetLimits` values. This must start from the current month and include the next 11 months. The `key` is the start of the month, `UTC` in epoch seconds.\n\nFor quarterly budgets, provide four quarters of `PlannedBudgetLimits` value entries in standard calendar quarter increments. This must start from the current quarter and include the next three quarters. The `key` is the start of the quarter, `UTC` in epoch seconds.\n\nIf the planned budget expires before 12 months for monthly or four quarters for quarterly, provide the `PlannedBudgetLimits` values only for the remaining periods.\n\nIf the budget begins at a date in the future, provide `PlannedBudgetLimits` values from the start date of the budget.\n\nAfter all of the `BudgetLimit` values in `PlannedBudgetLimits` are used, the budget continues to use the last limit as the `BudgetLimit` . At that point, the planned budget provides the same experience as a fixed budget.\n\n`DescribeBudget` and `DescribeBudgets` response along with `PlannedBudgetLimits` also contain `BudgetLimit` representing the current month or quarter limit present in `PlannedBudgetLimits` . This only applies to budgets that are created with `PlannedBudgetLimits` . Budgets that are created without `PlannedBudgetLimits` only contain `BudgetLimit` . They don't contain `PlannedBudgetLimits` .", "TimePeriod": "The period of time that is covered by a budget. The period has a start date and an end date. The start date must come before the end date. There are no restrictions on the end date.\n\nThe start date for a budget. If you created your budget and didn't specify a start date, the start date defaults to the start of the chosen time period (MONTHLY, QUARTERLY, or ANNUALLY). For example, if you create your budget on January 24, 2019, choose `MONTHLY` , and don't set a start date, the start date defaults to `01/01/19 00:00 UTC` . The defaults are the same for the Billing and Cost Management console and the API.\n\nYou can change your start date with the `UpdateBudget` operation.\n\nAfter the end date, AWS deletes the budget and all associated notifications and subscribers.", "TimeUnit": "The length of time until a budget resets the actual and forecasted spend. `DAILY` is available only for `RI_UTILIZATION` and `RI_COVERAGE` budgets." }, + "AWS::Budgets::Budget CostCategoryValues": { + "Key": "The unique name of the cost category.", + "MatchOptions": "The match options that you can use to filter your results.", + "Values": "The specific value of the cost category." + }, "AWS::Budgets::Budget CostTypes": { "IncludeCredit": "Specifies whether a budget includes credits.\n\nThe default value is `true` .", "IncludeDiscount": "Specifies whether a budget includes discounts.\n\nThe default value is `true` .", @@ -6548,6 +6776,19 @@ "UseAmortized": "Specifies whether a budget uses the amortized rate.\n\nThe default value is `false` .", "UseBlended": "Specifies whether a budget uses a blended rate.\n\nThe default value is `false` ." }, + "AWS::Budgets::Budget Expression": { + "And": "Return results that match both Dimension objects.", + "CostCategories": "The filter that's based on CostCategoryValues.", + "Dimensions": "The specific Dimension to use for Expression.", + "Not": "Return results that don't match a Dimension object.", + "Or": "Return results that match either Dimension object.", + "Tags": "The specific Tag to use for Expression." + }, + "AWS::Budgets::Budget ExpressionDimensionValues": { + "Key": "The name of the dimension that you want to filter on.", + "MatchOptions": "The match options that you can use to filter your results. You can specify only one of these values in the array.", + "Values": "The metadata values you can specify to filter upon, so that the results all match at least one of the specified values." + }, "AWS::Budgets::Budget HistoricalOptions": { "BudgetAdjustmentPeriod": "The number of budget periods included in the moving-average calculation that determines your auto-adjusted budget amount. The maximum value depends on the `TimeUnit` granularity of the budget:\n\n- For the `DAILY` granularity, the maximum value is `60` .\n- For the `MONTHLY` granularity, the maximum value is `12` .\n- For the `QUARTERLY` granularity, the maximum value is `4` .\n- For the `ANNUALLY` granularity, the maximum value is `1` ." }, @@ -6573,6 +6814,11 @@ "Address": "The address that AWS sends budget notifications to, either an SNS topic or an email.\n\nWhen you create a subscriber, the value of `Address` can't contain line breaks.", "SubscriptionType": "The type of notification that AWS sends to a subscriber." }, + "AWS::Budgets::Budget TagValues": { + "Key": "The key for the tag.", + "MatchOptions": "The match options that you can use to filter your results.", + "Values": "The specific value of the tag." + }, "AWS::Budgets::Budget TimePeriod": { "End": "The end date for a budget. If you didn't specify an end date, AWS set your end date to `06/15/87 00:00 UTC` . The defaults are the same for the Billing and Cost Management console and the API.\n\nAfter the end date, AWS deletes the budget and all the associated notifications and subscribers. You can change your end date with the `UpdateBudget` operation.", "Start": "The start date for a budget. If you created your budget and didn't specify a start date, the start date defaults to the start of the chosen time period (MONTHLY, QUARTERLY, or ANNUALLY). For example, if you create your budget on January 24, 2019, choose `MONTHLY` , and don't set a start date, the start date defaults to `01/01/19 00:00 UTC` . The defaults are the same for the Billing and Cost Management console and the API.\n\nYou can change your start date with the `UpdateBudget` operation.\n\nValid values depend on the value of `BudgetType` :\n\n- If `BudgetType` is `COST` or `USAGE` : Valid values are `MONTHLY` , `QUARTERLY` , and `ANNUALLY` .\n- If `BudgetType` is `RI_UTILIZATION` or `RI_COVERAGE` : Valid values are `DAILY` , `MONTHLY` , `QUARTERLY` , and `ANNUALLY` ." @@ -7389,7 +7635,7 @@ "LogRoleArn": "The ARN of the role that CloudFormation should assume when sending log entries to CloudWatch logs." }, "AWS::CloudFormation::Stack": { - "Capabilities": "In some cases, you must explicitly acknowledge that your stack template contains certain capabilities in order for CloudFormation to create the stack.\n\n- `CAPABILITY_IAM` and `CAPABILITY_NAMED_IAM`\n\nSome stack templates might include resources that can affect permissions in your AWS account ; for example, by creating new AWS Identity and Access Management (IAM) users. For those stacks, you must explicitly acknowledge this by specifying one of these capabilities.\n\nThe following IAM resources require you to specify either the `CAPABILITY_IAM` or `CAPABILITY_NAMED_IAM` capability.\n\n- If you have IAM resources, you can specify either capability.\n- If you have IAM resources with custom names, you *must* specify `CAPABILITY_NAMED_IAM` .\n- If you don't specify either of these capabilities, CloudFormation returns an `InsufficientCapabilities` error.\n\nIf your stack template contains these resources, we recommend that you review all permissions associated with them and edit their permissions if necessary.\n\n- [AWS::IAM::AccessKey](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-accesskey.html)\n- [AWS::IAM::Group](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-group.html)\n- [AWS::IAM::InstanceProfile](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-instanceprofile.html)\n- [AWS::IAM::Policy](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html)\n- [AWS::IAM::Role](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html)\n- [AWS::IAM::User](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-user.html)\n- [`AWS::IAM::UserToGroupAddition`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-usertogroupaddition.html)\n\nFor more information, see [Acknowledging IAM resources in CloudFormation templates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/control-access-with-iam.html#using-iam-capabilities) in the *AWS CloudFormation User Guide* .\n- `CAPABILITY_AUTO_EXPAND`\n\nSome template contain macros. Macros perform custom processing on templates; this can include simple actions like find-and-replace operations, all the way to extensive transformations of entire templates. Because of this, users typically create a change set from the processed template, so that they can review the changes resulting from the macros before actually creating the stack. If your stack template contains one or more macros, and you choose to create a stack directly from the processed template, without first reviewing the resulting changes in a change set, you must acknowledge this capability. This includes the [AWS::Include](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/transform-aws-include.html) and [AWS::Serverless](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/transform-aws-serverless.html) transforms, which are macros hosted by CloudFormation .\n\nIf you want to create a stack from a stack template that contains macros *and* nested stacks, you must create the stack directly from the template using this capability.\n\n> You should only create stacks directly from a stack template that contains macros if you know what processing the macro performs.\n> \n> Each macro relies on an underlying Lambda service function for processing stack templates. Be aware that the Lambda function owner can update the function operation without CloudFormation being notified. \n\nFor more information, see [Perform custom processing on CloudFormation templates with template macros](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/template-macros.html) in the *AWS CloudFormation User Guide* .", + "Capabilities": "In some cases, you must explicitly acknowledge that your stack template contains certain capabilities in order for CloudFormation to create the stack.\n\n- `CAPABILITY_IAM` and `CAPABILITY_NAMED_IAM`\n\nSome stack templates might include resources that can affect permissions in your AWS account ; for example, by creating new AWS Identity and Access Management (IAM) users. For those stacks, you must explicitly acknowledge this by specifying one of these capabilities.\n\nThe following IAM resources require you to specify either the `CAPABILITY_IAM` or `CAPABILITY_NAMED_IAM` capability.\n\n- If you have IAM resources, you can specify either capability.\n- If you have IAM resources with custom names, you *must* specify `CAPABILITY_NAMED_IAM` .\n- If you don't specify either of these capabilities, CloudFormation returns an `InsufficientCapabilities` error.\n\nIf your stack template contains these resources, we recommend that you review all permissions associated with them and edit their permissions if necessary.\n\n- [AWS::IAM::AccessKey](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-accesskey.html)\n- [AWS::IAM::Group](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-group.html)\n- [AWS::IAM::InstanceProfile](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-instanceprofile.html)\n- [AWS::IAM::Policy](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html)\n- [AWS::IAM::Role](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html)\n- [AWS::IAM::User](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-user.html)\n- [AWS::IAM::UserToGroupAddition](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-usertogroupaddition.html)\n\nFor more information, see [Acknowledging IAM resources in CloudFormation templates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/control-access-with-iam.html#using-iam-capabilities) in the *AWS CloudFormation User Guide* .\n- `CAPABILITY_AUTO_EXPAND`\n\nSome template contain macros. Macros perform custom processing on templates; this can include simple actions like find-and-replace operations, all the way to extensive transformations of entire templates. Because of this, users typically create a change set from the processed template, so that they can review the changes resulting from the macros before actually creating the stack. If your stack template contains one or more macros, and you choose to create a stack directly from the processed template, without first reviewing the resulting changes in a change set, you must acknowledge this capability. This includes the [AWS::Include](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/transform-aws-include.html) and [AWS::Serverless](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/transform-aws-serverless.html) transforms, which are macros hosted by CloudFormation .\n\nIf you want to create a stack from a stack template that contains macros *and* nested stacks, you must create the stack directly from the template using this capability.\n\n> You should only create stacks directly from a stack template that contains macros if you know what processing the macro performs.\n> \n> Each macro relies on an underlying Lambda service function for processing stack templates. Be aware that the Lambda function owner can update the function operation without CloudFormation being notified. \n\nFor more information, see [Perform custom processing on CloudFormation templates with template macros](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/template-macros.html) in the *AWS CloudFormation User Guide* .", "ChangeSetId": "The unique ID of the change set.", "CreationTime": "The time at which the stack was created.", "Description": "A user-defined description associated with the stack.", @@ -7399,9 +7645,9 @@ "NotificationARNs": "The Amazon SNS topic ARNs to publish stack related events. You can find your Amazon SNS topic ARNs using the Amazon SNS console or your Command Line Interface (CLI).", "Outputs": "A list of output structures.", "Parameters": "The set value pairs that represent the parameters passed to CloudFormation when this nested stack is created. Each parameter has a name corresponding to a parameter defined in the embedded template and a value representing the value that you want to set for the parameter.\n\n> If you use the `Ref` function to pass a parameter value to a nested stack, comma-delimited list parameters must be of type `String` . In other words, you can't pass values that are of type `CommaDelimitedList` to nested stacks. \n\nRequired if the nested stack requires input parameters.\n\nWhether an update causes interruptions depends on the resources that are being updated. An update never causes a nested stack to be replaced.", - "ParentId": "For nested stacks--stacks created as resources for another stack--the stack ID of the direct parent of this stack. For the first level of nested stacks, the root stack is also the parent stack.\n\nFor more information, see [Embed stacks within other stacks using nested stacks](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-nested-stacks.html) in the *AWS CloudFormation User Guide* .", + "ParentId": "For nested stacks, the stack ID of the direct parent of this stack. For the first level of nested stacks, the root stack is also the parent stack.\n\nFor more information, see [Nested stacks](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-nested-stacks.html) in the *AWS CloudFormation User Guide* .", "RoleARN": "The Amazon Resource Name (ARN) of an IAM role that CloudFormation assumes to create the stack. CloudFormation uses the role's credentials to make calls on your behalf. CloudFormation always uses this role for all future operations on the stack. Provided that users have permission to operate on the stack, CloudFormation uses this role even if the users don't have permission to pass it. Ensure that the role grants least privilege.\n\nIf you don't specify a value, CloudFormation uses the role that was previously associated with the stack. If no role is available, CloudFormation uses a temporary session that's generated from your user credentials.", - "RootId": "For nested stacks--stacks created as resources for another stack--the stack ID of the top-level stack to which the nested stack ultimately belongs.\n\nFor more information, see [Embed stacks within other stacks using nested stacks](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-nested-stacks.html) in the *AWS CloudFormation User Guide* .", + "RootId": "For nested stacks, the stack ID of the top-level stack to which the nested stack ultimately belongs.\n\nFor more information, see [Nested stacks](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-nested-stacks.html) in the *AWS CloudFormation User Guide* .", "StackId": "Unique identifier of the stack.", "StackName": "The name that's associated with the stack. The name must be unique in the Region in which you are creating the stack.\n\n> A stack name can contain only alphanumeric characters (case sensitive) and hyphens. It must start with an alphabetical character and can't be longer than 128 characters.", "StackPolicyBody": "Structure containing the stack policy body. For more information, go to [Prevent updates to stack resources](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/protect-stack-resources.html) in the *AWS CloudFormation User Guide* . You can specify either the `StackPolicyBody` or the `StackPolicyURL` parameter, but not both.", @@ -7425,7 +7671,7 @@ }, "AWS::CloudFormation::StackSet": { "AdministrationRoleARN": "The Amazon Resource Number (ARN) of the IAM role to use to create this stack set. Specify an IAM role only if you are using customized administrator roles to control which users or groups can manage specific stack sets within the same administrator account.\n\nUse customized administrator roles to control which users or groups can manage specific stack sets within the same administrator account. For more information, see [Grant self-managed permissions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-prereqs-self-managed.html) in the *AWS CloudFormation User Guide* .\n\nValid only if the permissions model is `SELF_MANAGED` .", - "AutoDeployment": "Describes whether StackSets automatically deploys to AWS Organizations accounts that are added to a target organization or organizational unit (OU). For more information, see [Manage automatic deployments for CloudFormation StackSets that use service-managed permissions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-manage-auto-deployment.html) in the *AWS CloudFormation User Guide* .\n\nRequired if the permissions model is `SERVICE_MANAGED` . (Not used with self-managed permissions.)", + "AutoDeployment": "Describes whether StackSets automatically deploys to AWS Organizations accounts that are added to a target organization or organizational unit (OU). For more information, see [Enable or disable automatic deployments for StackSets in AWS Organizations](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-manage-auto-deployment.html) in the *AWS CloudFormation User Guide* .\n\nRequired if the permissions model is `SERVICE_MANAGED` . (Not used with self-managed permissions.)", "CallAs": "Specifies whether you are acting as an account administrator in the organization's management account or as a delegated administrator in a member account.\n\nBy default, `SELF` is specified. Use `SELF` for stack sets with self-managed permissions.\n\n- To create a stack set with service-managed permissions while signed in to the management account, specify `SELF` .\n- To create a stack set with service-managed permissions while signed in to a delegated administrator account, specify `DELEGATED_ADMIN` .\n\nYour AWS account must be registered as a delegated admin in the management account. For more information, see [Register a delegated administrator](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-delegated-admin.html) in the *AWS CloudFormation User Guide* .\n\nStack sets with service-managed permissions are created in the management account, including stack sets that are created by delegated administrators.\n\nValid only if the permissions model is `SERVICE_MANAGED` .", "Capabilities": "The capabilities that are allowed in the stack set. Some stack set templates might include resources that can affect permissions in your AWS account \u2014for example, by creating new IAM users. For more information, see [Acknowledging IAM resources in CloudFormation templates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/control-access-with-iam.html#using-iam-capabilities) in the *AWS CloudFormation User Guide* .", "Description": "A description of the stack set.", @@ -7554,6 +7800,17 @@ "AWS::CloudFront::CloudFrontOriginAccessIdentity CloudFrontOriginAccessIdentityConfig": { "Comment": "A comment to describe the origin access identity. The comment cannot be longer than 128 characters." }, + "AWS::CloudFront::ConnectionGroup": { + "AnycastIpListId": "The ID of the Anycast static IP list.", + "Enabled": "Whether the connection group is enabled.", + "Ipv6Enabled": "IPv6 is enabled for the connection group.", + "Name": "The name of the connection group.", + "Tags": "A complex type that contains zero or more `Tag` elements." + }, + "AWS::CloudFront::ConnectionGroup Tag": { + "Key": "A string that contains `Tag` key.\n\nThe string length should be between 1 and 128 characters. Valid characters include `a-z` , `A-Z` , `0-9` , space, and the special characters `_ - . : / = + @` .", + "Value": "A string that contains an optional `Tag` value.\n\nThe string length should be between 0 and 256 characters. Valid characters include `a-z` , `A-Z` , `0-9` , space, and the special characters `_ - . : / = + @` ." + }, "AWS::CloudFront::ContinuousDeploymentPolicy": { "ContinuousDeploymentPolicyConfig": "Contains the configuration for a continuous deployment policy." }, @@ -7657,12 +7914,16 @@ "TrustedSigners": "> We recommend using `TrustedKeyGroups` instead of `TrustedSigners` . \n\nA list of AWS account IDs whose public keys CloudFront can use to validate signed URLs or signed cookies.\n\nWhen a cache behavior contains trusted signers, CloudFront requires signed URLs or signed cookies for all requests that match the cache behavior. The URLs or cookies must be signed with the private key of a CloudFront key pair in a trusted signer's AWS account . The signed URL or cookie contains information about which public key CloudFront should use to verify the signature. For more information, see [Serving private content](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/PrivateContent.html) in the *Amazon CloudFront Developer Guide* .", "ViewerProtocolPolicy": "The protocol that viewers can use to access the files in the origin specified by `TargetOriginId` when a request matches the path pattern in `PathPattern` . You can specify the following options:\n\n- `allow-all` : Viewers can use HTTP or HTTPS.\n- `redirect-to-https` : If a viewer submits an HTTP request, CloudFront returns an HTTP status code of 301 (Moved Permanently) to the viewer along with the HTTPS URL. The viewer then resubmits the request using the new URL.\n- `https-only` : If a viewer sends an HTTP request, CloudFront returns an HTTP status code of 403 (Forbidden).\n\nFor more information about requiring the HTTPS protocol, see [Requiring HTTPS Between Viewers and CloudFront](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-viewers-to-cloudfront.html) in the *Amazon CloudFront Developer Guide* .\n\n> The only way to guarantee that viewers retrieve an object that was fetched from the origin using HTTPS is never to use any other protocol to fetch the object. If you have recently changed from HTTP to HTTPS, we recommend that you clear your objects' cache because cached objects are protocol agnostic. That means that an edge location will return an object from the cache regardless of whether the current request protocol matches the protocol used previously. For more information, see [Managing Cache Expiration](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Expiration.html) in the *Amazon CloudFront Developer Guide* ." }, + "AWS::CloudFront::Distribution Definition": { + "StringSchema": "" + }, "AWS::CloudFront::Distribution DistributionConfig": { "Aliases": "A complex type that contains information about CNAMEs (alternate domain names), if any, for this distribution.", "AnycastIpListId": "ID of the Anycast static IP list that is associated with the distribution.", "CNAMEs": "An alias for the CloudFront distribution's domain name.\n\n> This property is legacy. We recommend that you use [Aliases](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-distributionconfig.html#cfn-cloudfront-distribution-distributionconfig-aliases) instead.", "CacheBehaviors": "A complex type that contains zero or more `CacheBehavior` elements.", "Comment": "A comment to describe the distribution. The comment cannot be longer than 128 characters.", + "ConnectionMode": "The connection mode to filter distributions by.", "ContinuousDeploymentPolicyId": "The identifier of a continuous deployment policy. For more information, see `CreateContinuousDeploymentPolicy` .", "CustomErrorResponses": "A complex type that controls the following:\n\n- Whether CloudFront replaces HTTP status codes in the 4xx and 5xx range with custom error messages before returning the response to the viewer.\n- How long CloudFront caches HTTP status codes in the 4xx and 5xx range.\n\nFor more information about custom error pages, see [Customizing Error Responses](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/custom-error-pages.html) in the *Amazon CloudFront Developer Guide* .", "CustomOrigin": "The user-defined HTTP server that serves as the origin for content that CloudFront distributes.\n\n> This property is legacy. We recommend that you use [Origin](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-origin.html) instead.", @@ -7678,6 +7939,7 @@ "Restrictions": "A complex type that identifies ways in which you want to restrict distribution of your content.", "S3Origin": "The origin as an Amazon S3 bucket.\n\n> This property is legacy. We recommend that you use [Origin](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-origin.html) instead.", "Staging": "A Boolean that indicates whether this is a staging distribution. When this value is `true` , this is a staging distribution. When this value is `false` , this is not a staging distribution.", + "TenantConfig": "A distribution tenant configuration.", "ViewerCertificate": "A complex type that determines the distribution's SSL/TLS configuration for communicating with viewers.", "WebACLId": "A unique identifier that specifies the AWS WAF web ACL, if any, to associate with this distribution. To specify a web ACL created using the latest version of AWS WAF , use the ACL ARN, for example `arn:aws:wafv2:us-east-1:123456789012:global/webacl/ExampleWebACL/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111` . To specify a web ACL created using AWS WAF Classic, use the ACL ID, for example `a1b2c3d4-5678-90ab-cdef-EXAMPLE11111` .\n\nAWS WAF is a web application firewall that lets you monitor the HTTP and HTTPS requests that are forwarded to CloudFront, and lets you control access to your content. Based on conditions that you specify, such as the IP addresses that requests originate from or the values of query strings, CloudFront responds to requests either with the requested content or with an HTTP 403 status code (Forbidden). You can also configure CloudFront to return a custom error page when a request is blocked. For more information about AWS WAF , see the [AWS WAF Developer Guide](https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html) ." }, @@ -7760,6 +8022,10 @@ "Enabled": "A flag that specifies whether Origin Shield is enabled.\n\nWhen it's enabled, CloudFront routes all requests through Origin Shield, which can help protect your origin. When it's disabled, CloudFront might send requests directly to your origin from multiple edge locations or regional edge caches.", "OriginShieldRegion": "The AWS Region for Origin Shield.\n\nSpecify the AWS Region that has the lowest latency to your origin. To specify a region, use the region code, not the region name. For example, specify the US East (Ohio) region as `us-east-2` .\n\nWhen you enable CloudFront Origin Shield, you must specify the AWS Region for Origin Shield. For the list of AWS Regions that you can specify, and for help choosing the best Region for your origin, see [Choosing the AWS Region for Origin Shield](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/origin-shield.html#choose-origin-shield-region) in the *Amazon CloudFront Developer Guide* ." }, + "AWS::CloudFront::Distribution ParameterDefinition": { + "Definition": "The value that you assigned to the parameter.", + "Name": "The name of the parameter." + }, "AWS::CloudFront::Distribution Restrictions": { "GeoRestriction": "A complex type that controls the countries in which your content is distributed. CloudFront determines the location of your users using `MaxMind` GeoIP databases. To disable geo restriction, remove the [Restrictions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-distributionconfig.html#cfn-cloudfront-distribution-distributionconfig-restrictions) property from your stack template." }, @@ -7770,10 +8036,18 @@ "Items": "The items (status codes) for an origin group.", "Quantity": "The number of status codes." }, + "AWS::CloudFront::Distribution StringSchema": { + "Comment": "", + "DefaultValue": "", + "Required": "" + }, "AWS::CloudFront::Distribution Tag": { "Key": "A string that contains `Tag` key.\n\nThe string length should be between 1 and 128 characters. Valid characters include `a-z` , `A-Z` , `0-9` , space, and the special characters `_ - . : / = + @` .", "Value": "A string that contains an optional `Tag` value.\n\nThe string length should be between 0 and 256 characters. Valid characters include `a-z` , `A-Z` , `0-9` , space, and the special characters `_ - . : / = + @` ." }, + "AWS::CloudFront::Distribution TenantConfig": { + "ParameterDefinitions": "The parameters that you specify for a distribution tenant." + }, "AWS::CloudFront::Distribution ViewerCertificate": { "AcmCertificateArn": "> In CloudFormation, this field name is `AcmCertificateArn` . Note the different capitalization. \n\nIf the distribution uses `Aliases` (alternate domain names or CNAMEs) and the SSL/TLS certificate is stored in [AWS Certificate Manager (ACM)](https://docs.aws.amazon.com/acm/latest/userguide/acm-overview.html) , provide the Amazon Resource Name (ARN) of the ACM certificate. CloudFront only supports ACM certificates in the US East (N. Virginia) Region ( `us-east-1` ).\n\nIf you specify an ACM certificate ARN, you must also specify values for `MinimumProtocolVersion` and `SSLSupportMethod` . (In CloudFormation, the field name is `SslSupportMethod` . Note the different capitalization.)", "CloudFrontDefaultCertificate": "If the distribution uses the CloudFront domain name such as `d111111abcdef8.cloudfront.net` , set this field to `true` .\n\nIf the distribution uses `Aliases` (alternate domain names or CNAMEs), omit this field and specify values for the following fields:\n\n- `AcmCertificateArn` or `IamCertificateId` (specify a value for one, not both)\n- `MinimumProtocolVersion`\n- `SslSupportMethod`", @@ -7786,6 +8060,50 @@ "OriginReadTimeout": "Specifies how long, in seconds, CloudFront waits for a response from the origin. This is also known as the *origin response timeout* . The minimum timeout is 1 second, the maximum is 60 seconds, and the default (if you don't specify otherwise) is 30 seconds.\n\nFor more information, see [Response timeout (custom origins only)](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html#DownloadDistValuesOriginResponseTimeout) in the *Amazon CloudFront Developer Guide* .", "VpcOriginId": "The VPC origin ID." }, + "AWS::CloudFront::DistributionTenant": { + "ConnectionGroupId": "The ID of the connection group for the distribution tenant. If you don't specify a connection group, CloudFront uses the default connection group.", + "Customizations": "Customizations for the distribution tenant. For each distribution tenant, you can specify the geographic restrictions, and the Amazon Resource Names (ARNs) for the ACM certificate and AWS WAF web ACL. These are specific values that you can override or disable from the multi-tenant distribution that was used to create the distribution tenant.", + "DistributionId": "The ID of the multi-tenant distribution.", + "Domains": "The domains associated with the distribution tenant.", + "Enabled": "Indicates whether the distribution tenant is in an enabled state. If disabled, the distribution tenant won't serve traffic.", + "ManagedCertificateRequest": "An object that represents the request for the Amazon CloudFront managed ACM certificate.", + "Name": "The name of the distribution tenant.", + "Parameters": "A list of parameter values to add to the resource. A parameter is specified as a key-value pair. A valid parameter value must exist for any parameter that is marked as required in the multi-tenant distribution.", + "Tags": "A complex type that contains zero or more `Tag` elements." + }, + "AWS::CloudFront::DistributionTenant Certificate": { + "Arn": "The Amazon Resource Name (ARN) of the ACM certificate." + }, + "AWS::CloudFront::DistributionTenant Customizations": { + "Certificate": "The AWS Certificate Manager (ACM) certificate.", + "GeoRestrictions": "The geographic restrictions.", + "WebAcl": "The AWS WAF web ACL." + }, + "AWS::CloudFront::DistributionTenant DomainResult": { + "Domain": "The specified domain.", + "Status": "Whether the domain is active or inactive." + }, + "AWS::CloudFront::DistributionTenant GeoRestrictionCustomization": { + "Locations": "The locations for geographic restrictions.", + "RestrictionType": "The method that you want to use to restrict distribution of your content by country:\n\n- `none` : No geographic restriction is enabled, meaning access to content is not restricted by client geo location.\n- `blacklist` : The `Location` elements specify the countries in which you don't want CloudFront to distribute your content.\n- `whitelist` : The `Location` elements specify the countries in which you want CloudFront to distribute your content." + }, + "AWS::CloudFront::DistributionTenant ManagedCertificateRequest": { + "CertificateTransparencyLoggingPreference": "You can opt out of certificate transparency logging by specifying the `disabled` option. Opt in by specifying `enabled` . For more information, see [Certificate Transparency Logging](https://docs.aws.amazon.com/acm/latest/userguide/acm-concepts.html#concept-transparency) in the *AWS Certificate Manager User Guide* .", + "PrimaryDomainName": "The primary domain name associated with the CloudFront managed ACM certificate.", + "ValidationTokenHost": "Specify how the HTTP validation token will be served when requesting the CloudFront managed ACM certificate.\n\n- For `cloudfront` , CloudFront will automatically serve the validation token. Choose this mode if you can point the domain's DNS to CloudFront immediately.\n- For `self-hosted` , you serve the validation token from your existing infrastructure. Choose this mode when you need to maintain current traffic flow while your certificate is being issued. You can place the validation token at the well-known path on your existing web server, wait for ACM to validate and issue the certificate, and then update your DNS to point to CloudFront." + }, + "AWS::CloudFront::DistributionTenant Parameter": { + "Name": "The parameter name.", + "Value": "The parameter value." + }, + "AWS::CloudFront::DistributionTenant Tag": { + "Key": "A string that contains `Tag` key.\n\nThe string length should be between 1 and 128 characters. Valid characters include `a-z` , `A-Z` , `0-9` , space, and the special characters `_ - . : / = + @` .", + "Value": "A string that contains an optional `Tag` value.\n\nThe string length should be between 0 and 256 characters. Valid characters include `a-z` , `A-Z` , `0-9` , space, and the special characters `_ - . : / = + @` ." + }, + "AWS::CloudFront::DistributionTenant WebAclCustomization": { + "Action": "The action for the AWS WAF web ACL customization. You can specify `override` to specify a separate AWS WAF web ACL for the distribution tenant. If you specify `disable` , the distribution tenant won't have AWS WAF web ACL protections and won't inherit from the multi-tenant distribution.", + "Arn": "The Amazon Resource Name (ARN) of the AWS WAF web ACL." + }, "AWS::CloudFront::Function": { "AutoPublish": "A flag that determines whether to automatically publish the function to the `LIVE` stage when it\u2019s created. To automatically publish to the `LIVE` stage, set this property to `true` .", "FunctionCode": "The function code. For more information about writing a CloudFront function, see [Writing function code for CloudFront Functions](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/writing-function-code.html) in the *Amazon CloudFront Developer Guide* .", @@ -7879,7 +8197,7 @@ "SamplingRate": "The sampling rate for this real-time log configuration. The sampling rate determines the percentage of viewer requests that are represented in the real-time log data. The sampling rate is an integer between 1 and 100, inclusive." }, "AWS::CloudFront::RealtimeLogConfig EndPoint": { - "KinesisStreamConfig": "Contains information about the Amazon Kinesis data stream where you are sending real-time log data.", + "KinesisStreamConfig": "Contains information about the Amazon Kinesis data stream where you are sending real-time log data in a real-time log configuration.", "StreamType": "The type of data stream where you are sending real-time log data. The only valid value is `Kinesis` ." }, "AWS::CloudFront::RealtimeLogConfig KinesisStreamConfig": { @@ -8016,7 +8334,7 @@ "HTTPSPort": "The HTTPS port of the CloudFront VPC origin endpoint configuration. The default value is `443` .", "Name": "The name of the CloudFront VPC origin endpoint configuration.", "OriginProtocolPolicy": "The origin protocol policy for the CloudFront VPC origin endpoint configuration.", - "OriginSSLProtocols": "" + "OriginSSLProtocols": "Specifies the minimum SSL/TLS protocol that CloudFront uses when connecting to your origin over HTTPS. Valid values include `SSLv3` , `TLSv1` , `TLSv1.1` , and `TLSv1.2` .\n\nFor more information, see [Minimum Origin SSL Protocol](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html#DownloadDistValuesOriginSSLProtocols) in the *Amazon CloudFront Developer Guide* ." }, "AWS::CloudTrail::Channel": { "Destinations": "One or more event data stores to which events arriving through a channel will be logged.", @@ -8060,12 +8378,14 @@ "AWS::CloudTrail::EventDataStore": { "AdvancedEventSelectors": "The advanced event selectors to use to select the events for the data store. You can configure up to five advanced event selectors for each event data store.\n\nFor more information about how to use advanced event selectors to log CloudTrail events, see [Log events by using advanced event selectors](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html#creating-data-event-selectors-advanced) in the CloudTrail User Guide.\n\nFor more information about how to use advanced event selectors to include AWS Config configuration items in your event data store, see [Create an event data store for AWS Config configuration items](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/lake-eds-cli.html#lake-cli-create-eds-config) in the CloudTrail User Guide.\n\nFor more information about how to use advanced event selectors to include events outside of AWS events in your event data store, see [Create an integration to log events from outside AWS](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/lake-integrations-cli.html#lake-cli-create-integration) in the CloudTrail User Guide.", "BillingMode": "The billing mode for the event data store determines the cost for ingesting events and the default and maximum retention period for the event data store.\n\nThe following are the possible values:\n\n- `EXTENDABLE_RETENTION_PRICING` - This billing mode is generally recommended if you want a flexible retention period of up to 3653 days (about 10 years). The default retention period for this billing mode is 366 days.\n- `FIXED_RETENTION_PRICING` - This billing mode is recommended if you expect to ingest more than 25 TB of event data per month and need a retention period of up to 2557 days (about 7 years). The default retention period for this billing mode is 2557 days.\n\nThe default value is `EXTENDABLE_RETENTION_PRICING` .\n\nFor more information about CloudTrail pricing, see [AWS CloudTrail Pricing](https://docs.aws.amazon.com/cloudtrail/pricing/) and [Managing CloudTrail Lake costs](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake-manage-costs.html) .", + "ContextKeySelectors": "The list of context key selectors that are configured for the event data store.", "FederationEnabled": "Indicates if [Lake query federation](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/query-federation.html) is enabled. By default, Lake query federation is disabled. You cannot delete an event data store if Lake query federation is enabled.", "FederationRoleArn": "If Lake query federation is enabled, provides the ARN of the federation role used to access the resources for the federated event data store.\n\nThe federation role must exist in your account and provide the [required minimum permissions](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/query-federation.html#query-federation-permissions-role) .", "IngestionEnabled": "Specifies whether the event data store should start ingesting live events. The default is true.", "InsightSelectors": "A JSON string that contains the Insights types you want to log on an event data store. `ApiCallRateInsight` and `ApiErrorRateInsight` are valid Insight types.\n\nThe `ApiCallRateInsight` Insights type analyzes write-only management API calls that are aggregated per minute against a baseline API call volume.\n\nThe `ApiErrorRateInsight` Insights type analyzes management API calls that result in error codes. The error is shown if the API call is unsuccessful.", "InsightsDestination": "The ARN (or ID suffix of the ARN) of the destination event data store that logs Insights events. For more information, see [Create an event data store for CloudTrail Insights events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/query-event-data-store-insights.html) .", "KmsKeyId": "Specifies the AWS KMS key ID to use to encrypt the events delivered by CloudTrail. The value can be an alias name prefixed by `alias/` , a fully specified ARN to an alias, a fully specified ARN to a key, or a globally unique identifier.\n\n> Disabling or deleting the KMS key, or removing CloudTrail permissions on the key, prevents CloudTrail from logging events to the event data store, and prevents users from querying the data in the event data store that was encrypted with the key. After you associate an event data store with a KMS key, the KMS key cannot be removed or changed. Before you disable or delete a KMS key that you are using with an event data store, delete or back up your event data store. \n\nCloudTrail also supports AWS KMS multi-Region keys. For more information about multi-Region keys, see [Using multi-Region keys](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) in the *AWS Key Management Service Developer Guide* .\n\nExamples:\n\n- `alias/MyAliasName`\n- `arn:aws:kms:us-east-2:123456789012:alias/MyAliasName`\n- `arn:aws:kms:us-east-2:123456789012:key/12345678-1234-1234-1234-123456789012`\n- `12345678-1234-1234-1234-123456789012`", + "MaxEventSize": "The maximum allowed size for events to be stored in the specified event data store. If you are using context key selectors, MaxEventSize must be set to Large.", "MultiRegionEnabled": "Specifies whether the event data store includes events from all Regions, or only from the Region in which the event data store is created.", "Name": "The name of the event data store.", "OrganizationEnabled": "Specifies whether an event data store collects events logged for an organization in AWS Organizations .", @@ -8086,6 +8406,10 @@ "NotStartsWith": "An operator that excludes events that match the first few characters of the event record field specified as the value of `Field` .", "StartsWith": "An operator that includes events that match the first few characters of the event record field specified as the value of `Field` ." }, + "AWS::CloudTrail::EventDataStore ContextKeySelector": { + "Equals": "A list of keys defined by Type to be included in CloudTrail enriched events.", + "Type": "Specifies the type of the event record field in ContextKeySelector. Valid values include RequestContext, TagContext." + }, "AWS::CloudTrail::EventDataStore InsightSelector": { "InsightType": "The type of Insights events to log on an event data store. `ApiCallRateInsight` and `ApiErrorRateInsight` are valid Insight types.\n\nThe `ApiCallRateInsight` Insights type analyzes write-only management API calls that are aggregated per minute against a baseline API call volume.\n\nThe `ApiErrorRateInsight` Insights type analyzes management API calls that result in error codes. The error is shown if the API call is unsuccessful." }, @@ -8108,7 +8432,7 @@ "IsLogging": "Whether the CloudTrail trail is currently logging AWS API calls.", "IsMultiRegionTrail": "Specifies whether the trail applies only to the current Region or to all Regions. The default is false. If the trail exists only in the current Region and this value is set to true, shadow trails (replications of the trail) will be created in the other Regions. If the trail exists in all Regions and this value is set to false, the trail will remain in the Region where it was created, and its shadow trails in other Regions will be deleted. As a best practice, consider using trails that log events in all Regions.", "IsOrganizationTrail": "Specifies whether the trail is applied to all accounts in an organization in AWS Organizations , or only for the current AWS account . The default is false, and cannot be true unless the call is made on behalf of an AWS account that is the management account for an organization in AWS Organizations . If the trail is not an organization trail and this is set to `true` , the trail will be created in all AWS accounts that belong to the organization. If the trail is an organization trail and this is set to `false` , the trail will remain in the current AWS account but be deleted from all member accounts in the organization.\n\n> Only the management account for the organization can convert an organization trail to a non-organization trail, or convert a non-organization trail to an organization trail.", - "KMSKeyId": "Specifies the AWS KMS key ID to use to encrypt the logs delivered by CloudTrail. The value can be an alias name prefixed by \"alias/\", a fully specified ARN to an alias, a fully specified ARN to a key, or a globally unique identifier.\n\nCloudTrail also supports AWS KMS multi-Region keys. For more information about multi-Region keys, see [Using multi-Region keys](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) in the *AWS Key Management Service Developer Guide* .\n\nExamples:\n\n- alias/MyAliasName\n- arn:aws:kms:us-east-2:123456789012:alias/MyAliasName\n- arn:aws:kms:us-east-2:123456789012:key/12345678-1234-1234-1234-123456789012\n- 12345678-1234-1234-1234-123456789012", + "KMSKeyId": "Specifies the AWS KMS key ID to use to encrypt the logs and digest files delivered by CloudTrail. The value can be an alias name prefixed by \"alias/\", a fully specified ARN to an alias, a fully specified ARN to a key, or a globally unique identifier.\n\nCloudTrail also supports AWS KMS multi-Region keys. For more information about multi-Region keys, see [Using multi-Region keys](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) in the *AWS Key Management Service Developer Guide* .\n\nExamples:\n\n- alias/MyAliasName\n- arn:aws:kms:us-east-2:123456789012:alias/MyAliasName\n- arn:aws:kms:us-east-2:123456789012:key/12345678-1234-1234-1234-123456789012\n- 12345678-1234-1234-1234-123456789012", "S3BucketName": "Specifies the name of the Amazon S3 bucket designated for publishing log files. See [Amazon S3 Bucket naming rules](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucketnamingrules.html) .", "S3KeyPrefix": "Specifies the Amazon S3 key prefix that comes after the name of the bucket you have designated for log file delivery. For more information, see [Finding Your CloudTrail Log Files](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/get-and-view-cloudtrail-log-files.html#cloudtrail-find-log-files) . The maximum length is 200 characters.", "SnsTopicName": "Specifies the name or ARN of the Amazon SNS topic defined for notification of log file delivery. The maximum length is 256 characters.", @@ -8274,6 +8598,7 @@ "DashboardName": "The name of the dashboard. The name must be between 1 and 255 characters. If you do not specify a name, one will be generated automatically." }, "AWS::CloudWatch::InsightRule": { + "ApplyOnTransformedLogs": "Determines whether the rules is evaluated on transformed versions of logs. Valid values are `TRUE` and `FALSE` .", "RuleBody": "The definition of the rule, as a JSON object. For details about the syntax, see [Contributor Insights Rule Syntax](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/ContributorInsights-RuleSyntax.html) in the *Amazon CloudWatch User Guide* .", "RuleName": "The name of the rule.", "RuleState": "The current state of the rule. Valid values are `ENABLED` and `DISABLED` .", @@ -8357,7 +8682,7 @@ }, "AWS::CodeBuild::Fleet": { "BaseCapacity": "The initial number of machines allocated to the compute \ufb02eet, which de\ufb01nes the number of builds that can run in parallel.", - "ComputeConfiguration": "The compute configuration of the compute fleet. This is only required if `computeType` is set to `ATTRIBUTE_BASED_COMPUTE` .", + "ComputeConfiguration": "The compute configuration of the compute fleet. This is only required if `computeType` is set to `ATTRIBUTE_BASED_COMPUTE` or `CUSTOM_INSTANCE_TYPE` .", "ComputeType": "Information about the compute resources the compute fleet uses. Available values include:\n\n- `ATTRIBUTE_BASED_COMPUTE` : Specify the amount of vCPUs, memory, disk space, and the type of machine.\n\n> If you use `ATTRIBUTE_BASED_COMPUTE` , you must define your attributes by using `computeConfiguration` . AWS CodeBuild will select the cheapest instance that satisfies your specified attributes. For more information, see [Reserved capacity environment types](https://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref-compute-types.html#environment-reserved-capacity.types) in the *AWS CodeBuild User Guide* .\n- `BUILD_GENERAL1_SMALL` : Use up to 4 GiB memory and 2 vCPUs for builds.\n- `BUILD_GENERAL1_MEDIUM` : Use up to 8 GiB memory and 4 vCPUs for builds.\n- `BUILD_GENERAL1_LARGE` : Use up to 16 GiB memory and 8 vCPUs for builds, depending on your environment type.\n- `BUILD_GENERAL1_XLARGE` : Use up to 72 GiB memory and 36 vCPUs for builds, depending on your environment type.\n- `BUILD_GENERAL1_2XLARGE` : Use up to 144 GiB memory, 72 vCPUs, and 824 GB of SSD storage for builds. This compute type supports Docker images up to 100 GB uncompressed.\n- `BUILD_LAMBDA_1GB` : Use up to 1 GiB memory for builds. Only available for environment type `LINUX_LAMBDA_CONTAINER` and `ARM_LAMBDA_CONTAINER` .\n- `BUILD_LAMBDA_2GB` : Use up to 2 GiB memory for builds. Only available for environment type `LINUX_LAMBDA_CONTAINER` and `ARM_LAMBDA_CONTAINER` .\n- `BUILD_LAMBDA_4GB` : Use up to 4 GiB memory for builds. Only available for environment type `LINUX_LAMBDA_CONTAINER` and `ARM_LAMBDA_CONTAINER` .\n- `BUILD_LAMBDA_8GB` : Use up to 8 GiB memory for builds. Only available for environment type `LINUX_LAMBDA_CONTAINER` and `ARM_LAMBDA_CONTAINER` .\n- `BUILD_LAMBDA_10GB` : Use up to 10 GiB memory for builds. Only available for environment type `LINUX_LAMBDA_CONTAINER` and `ARM_LAMBDA_CONTAINER` .\n\nIf you use `BUILD_GENERAL1_SMALL` :\n\n- For environment type `LINUX_CONTAINER` , you can use up to 4 GiB memory and 2 vCPUs for builds.\n- For environment type `LINUX_GPU_CONTAINER` , you can use up to 16 GiB memory, 4 vCPUs, and 1 NVIDIA A10G Tensor Core GPU for builds.\n- For environment type `ARM_CONTAINER` , you can use up to 4 GiB memory and 2 vCPUs on ARM-based processors for builds.\n\nIf you use `BUILD_GENERAL1_LARGE` :\n\n- For environment type `LINUX_CONTAINER` , you can use up to 16 GiB memory and 8 vCPUs for builds.\n- For environment type `LINUX_GPU_CONTAINER` , you can use up to 255 GiB memory, 32 vCPUs, and 4 NVIDIA Tesla V100 GPUs for builds.\n- For environment type `ARM_CONTAINER` , you can use up to 16 GiB memory and 8 vCPUs on ARM-based processors for builds.\n\nFor more information, see [On-demand environment types](https://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref-compute-types.html#environment.types) in the *AWS CodeBuild User Guide.*", "EnvironmentType": "The environment type of the compute fleet.\n\n- The environment type `ARM_CONTAINER` is available only in regions US East (N. Virginia), US East (Ohio), US West (Oregon), EU (Ireland), Asia Pacific (Mumbai), Asia Pacific (Tokyo), Asia Pacific (Singapore), Asia Pacific (Sydney), EU (Frankfurt), and South America (S\u00e3o Paulo).\n- The environment type `ARM_EC2` is available only in regions US East (N. Virginia), US East (Ohio), US West (Oregon), EU (Ireland), EU (Frankfurt), Asia Pacific (Tokyo), Asia Pacific (Singapore), Asia Pacific (Sydney), South America (S\u00e3o Paulo), and Asia Pacific (Mumbai).\n- The environment type `LINUX_CONTAINER` is available only in regions US East (N. Virginia), US East (Ohio), US West (Oregon), EU (Ireland), EU (Frankfurt), Asia Pacific (Tokyo), Asia Pacific (Singapore), Asia Pacific (Sydney), South America (S\u00e3o Paulo), and Asia Pacific (Mumbai).\n- The environment type `LINUX_EC2` is available only in regions US East (N. Virginia), US East (Ohio), US West (Oregon), EU (Ireland), EU (Frankfurt), Asia Pacific (Tokyo), Asia Pacific (Singapore), Asia Pacific (Sydney), South America (S\u00e3o Paulo), and Asia Pacific (Mumbai).\n- The environment type `LINUX_GPU_CONTAINER` is available only in regions US East (N. Virginia), US East (Ohio), US West (Oregon), EU (Ireland), EU (Frankfurt), Asia Pacific (Tokyo), and Asia Pacific (Sydney).\n- The environment type `MAC_ARM` is available only in regions US East (Ohio), US East (N. Virginia), US West (Oregon), Europe (Frankfurt), and Asia Pacific (Sydney).\n- The environment type `WINDOWS_EC2` is available only in regions US East (N. Virginia), US East (Ohio), US West (Oregon), EU (Ireland), EU (Frankfurt), Asia Pacific (Tokyo), Asia Pacific (Singapore), Asia Pacific (Sydney), South America (S\u00e3o Paulo), and Asia Pacific (Mumbai).\n- The environment type `WINDOWS_SERVER_2019_CONTAINER` is available only in regions US East (N. Virginia), US East (Ohio), US West (Oregon), Asia Pacific (Sydney), Asia Pacific (Tokyo), Asia Pacific (Mumbai) and EU (Ireland).\n- The environment type `WINDOWS_SERVER_2022_CONTAINER` is available only in regions US East (N. Virginia), US East (Ohio), US West (Oregon), EU (Ireland), EU (Frankfurt), Asia Pacific (Sydney), Asia Pacific (Singapore), Asia Pacific (Tokyo), South America (S\u00e3o Paulo) and Asia Pacific (Mumbai).\n\nFor more information, see [Build environment compute types](https://docs.aws.amazon.com//codebuild/latest/userguide/build-env-ref-compute-types.html) in the *AWS CodeBuild user guide* .", "FleetProxyConfiguration": "Information about the proxy configurations that apply network access control to your reserved capacity instances.", @@ -8371,6 +8696,7 @@ }, "AWS::CodeBuild::Fleet ComputeConfiguration": { "disk": "The amount of disk space of the instance type included in your fleet.", + "instanceType": "The EC2 instance type to be launched in your fleet.", "machineType": "The machine type of the instance type included in your fleet.", "memory": "The amount of memory of the instance type included in your fleet.", "vCpu": "The number of vCPUs of the instance type included in your fleet." @@ -8483,6 +8809,7 @@ "TimeoutInMins": "Specifies the maximum amount of time, in minutes, that the batch build must be completed in." }, "AWS::CodeBuild::Project ProjectCache": { + "CacheNamespace": "Defines the scope of the cache. You can use this namespace to share a cache across multiple projects. For more information, see [Cache sharing between projects](https://docs.aws.amazon.com/codebuild/latest/userguide/caching-s3.html#caching-s3-sharing) in the *AWS CodeBuild User Guide* .", "Location": "Information about the cache location:\n\n- `NO_CACHE` or `LOCAL` : This value is ignored.\n- `S3` : This is the S3 bucket name/prefix.", "Modes": "An array of strings that specify the local cache modes. You can use one or more local cache modes at the same time. This is only used for `LOCAL` cache types.\n\nPossible values are:\n\n- **LOCAL_SOURCE_CACHE** - Caches Git metadata for primary and secondary sources. After the cache is created, subsequent builds pull only the change between commits. This mode is a good choice for projects with a clean working directory and a source that is a large Git repository. If you choose this option and your project does not use a Git repository (GitHub, GitHub Enterprise, or Bitbucket), the option is ignored.\n- **LOCAL_DOCKER_LAYER_CACHE** - Caches existing Docker layers. This mode is a good choice for projects that build or pull large Docker images. It can prevent the performance issues caused by pulling large Docker images down from the network.\n\n> - You can use a Docker layer cache in the Linux environment only.\n> - The `privileged` flag must be set so that your project has the required Docker permissions.\n> - You should consider the security implications before you use a Docker layer cache.\n- **LOCAL_CUSTOM_CACHE** - Caches directories you specify in the buildspec file. This mode is a good choice if your build scenario is not suited to one of the other three local cache modes. If you use a custom cache:\n\n- Only directories can be specified for caching. You cannot specify individual files.\n- Symlinks are used to reference cached directories.\n- Cached directories are linked to your build before it downloads its project sources. Cached items are overridden if a source item has the same name. Directories are specified using cache paths in the buildspec file.", "Type": "The type of cache used by the build project. Valid values include:\n\n- `NO_CACHE` : The build project does not use any cache.\n- `S3` : The build project reads and writes from and to S3.\n- `LOCAL` : The build project stores a cache locally on a build host that is only available to that build host." @@ -8517,7 +8844,9 @@ "Status": "The current status of the S3 build logs. Valid values are:\n\n- `ENABLED` : S3 build logs are enabled for this build project.\n- `DISABLED` : S3 build logs are not enabled for this build project." }, "AWS::CodeBuild::Project ScopeConfiguration": { - "Name": "The name of either the enterprise or organization that will send webhook events to CodeBuild , depending on if the webhook is a global or organization webhook respectively." + "Domain": "The domain of the GitHub Enterprise organization or the GitLab Self Managed group. Note that this parameter is only required if your project's source type is GITHUB_ENTERPRISE or GITLAB_SELF_MANAGED.", + "Name": "The name of either the enterprise or organization that will send webhook events to CodeBuild , depending on if the webhook is a global or organization webhook respectively.", + "Scope": "The type of scope for a GitHub or GitLab webhook. The scope default is GITHUB_ORGANIZATION." }, "AWS::CodeBuild::Project Source": { "Auth": "Information about the authorization settings for AWS CodeBuild to access the source code to be built.", @@ -8868,6 +9197,7 @@ "ActionTypeId": "Specifies the action type and the provider of the action.", "Commands": "The shell commands to run with your compute action in CodePipeline. All commands are supported except multi-line formats. While CodeBuild logs and permissions are used, you do not need to create any resources in CodeBuild.\n\n> Using compute time for this action will incur separate charges in AWS CodeBuild .", "Configuration": "The action's configuration. These are key-value pairs that specify input values for an action. For more information, see [Action Structure Requirements in CodePipeline](https://docs.aws.amazon.com/codepipeline/latest/userguide/reference-pipeline-structure.html#action-requirements) . For the list of configuration properties for the AWS CloudFormation action type in CodePipeline, see [Configuration Properties Reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/continuous-delivery-codepipeline-action-reference.html) in the *AWS CloudFormation User Guide* . For template snippets with examples, see [Using Parameter Override Functions with CodePipeline Pipelines](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/continuous-delivery-codepipeline-parameter-override-functions.html) in the *AWS CloudFormation User Guide* .\n\nThe values can be represented in either JSON or YAML format. For example, the JSON configuration item format is as follows:\n\n*JSON:*\n\n`\"Configuration\" : { Key : Value },`", + "EnvironmentVariables": "The environment variables for the action.", "InputArtifacts": "The name or ID of the artifact consumed by the action, such as a test or build artifact. While the field is not a required parameter, most actions have an action configuration that requires a specified quantity of input artifacts. To refer to the action configuration specification by action provider, see the [Action structure reference](https://docs.aws.amazon.com/codepipeline/latest/userguide/action-reference.html) in the *AWS CodePipeline User Guide* .\n\n> For a CodeBuild action with multiple input artifacts, one of your input sources must be designated the PrimarySource. For more information, see the [CodeBuild action reference page](https://docs.aws.amazon.com/codepipeline/latest/userguide/action-reference-CodeBuild.html) in the *AWS CodePipeline User Guide* .", "Name": "The action declaration's name.", "Namespace": "The variable namespace associated with the action. All variables produced as output by this action fall under this namespace.", @@ -8908,6 +9238,11 @@ "Id": "The ID used to identify the key. For an AWS KMS key, you can use the key ID, the key ARN, or the alias ARN.\n\n> Aliases are recognized only in the account that created the AWS KMS key. For cross-account actions, you can only use the key ID or key ARN to identify the key. Cross-account actions involve using the role from the other account (AccountB), so specifying the key ID will use the key from the other account (AccountB).", "Type": "The type of encryption key, such as an AWS KMS key. When creating or updating a pipeline, the value must be set to 'KMS'." }, + "AWS::CodePipeline::Pipeline EnvironmentVariable": { + "Name": "The environment variable name in the key-value pair.", + "Type": "Specifies the type of use for the environment variable value. The value can be either `PLAINTEXT` or `SECRETS_MANAGER` . If the value is `SECRETS_MANAGER` , provide the Secrets reference in the EnvironmentVariable value.", + "Value": "The environment variable value in the key-value pair." + }, "AWS::CodePipeline::Pipeline FailureConditions": { "Conditions": "The conditions that are configured as failure conditions. For more information about conditions, see [Stage conditions](https://docs.aws.amazon.com/codepipeline/latest/userguide/stage-conditions.html) and [How do stage conditions work?](https://docs.aws.amazon.com/codepipeline/latest/userguide/concepts-how-it-works-conditions.html) .", "Result": "The specified result for when the failure conditions are met, such as rolling back the stage.", @@ -9156,10 +9491,10 @@ }, "AWS::Cognito::ManagedLoginBranding": { "Assets": "An array of image files that you want to apply to roles like backgrounds, logos, and icons. Each object must also indicate whether it is for dark mode, light mode, or browser-adaptive mode.", - "ClientId": "The app client that's assigned to the branding style that you want more information about.", + "ClientId": "The app client that you want to assign the branding style to. Each style is linked to an app client until you delete it.", "ReturnMergedResources": "When `true` , returns values for branding options that are unchanged from Amazon Cognito defaults. When `false` or when you omit this parameter, returns only values that you customized in your branding style.", "Settings": "A JSON file, encoded as a `Document` type, with the the settings that you want to apply to your style.", - "UseCognitoProvidedValues": "When true, applies the default branding style options. This option reverts to default style options that are managed by Amazon Cognito. You can modify them later in the branding designer.\n\nWhen you specify `true` for this option, you must also omit values for `Settings` and `Assets` in the request.", + "UseCognitoProvidedValues": "When true, applies the default branding style options. This option reverts to default style options that are managed by Amazon Cognito. You can modify them later in the branding editor.\n\nWhen you specify `true` for this option, you must also omit values for `Settings` and `Assets` in the request.", "UserPoolId": "The user pool where the branding style is assigned." }, "AWS::Cognito::ManagedLoginBranding AssetType": { @@ -9333,6 +9668,7 @@ "LogoutURLs": "A list of allowed logout URLs for managed login authentication. When you pass `logout_uri` and `client_id` parameters to `/logout` , Amazon Cognito signs out your user and redirects them to the logout URL. This parameter describes the URLs that you want to be the permitted targets of `logout_uri` . A typical use of these URLs is when a user selects \"Sign out\" and you redirect them to your public homepage. For more information, see [Logout endpoint](https://docs.aws.amazon.com/cognito/latest/developerguide/logout-endpoint.html) .", "PreventUserExistenceErrors": "Errors and responses that you want Amazon Cognito APIs to return during authentication, account confirmation, and password recovery when the user doesn't exist in the user pool. When set to `ENABLED` and the user doesn't exist, authentication returns an error indicating either the username or password was incorrect. Account confirmation and password recovery return a response indicating a code was sent to a simulated destination. When set to `LEGACY` , those APIs return a `UserNotFoundException` exception if the user doesn't exist in the user pool.\n\nValid values include:\n\n- `ENABLED` - This prevents user existence-related errors.\n- `LEGACY` - This represents the early behavior of Amazon Cognito where user existence related errors aren't prevented.\n\nDefaults to `LEGACY` when you don't provide a value.", "ReadAttributes": "The list of user attributes that you want your app client to have read access to. After your user authenticates in your app, their access token authorizes them to read their own attribute value for any attribute in this list. An example of this kind of activity is when your user selects a link to view their profile information.\n\nWhen you don't specify the `ReadAttributes` for your app client, your app can read the values of `email_verified` , `phone_number_verified` , and the Standard attributes of your user pool. When your user pool app client has read access to these default attributes, `ReadAttributes` doesn't return any information. Amazon Cognito only populates `ReadAttributes` in the API response if you have specified your own custom set of read attributes.", + "RefreshTokenRotation": "The configuration of your app client for refresh token rotation. When enabled, your app client issues new ID, access, and refresh tokens when users renew their sessions with refresh tokens. When disabled, token refresh issues only ID and access tokens.", "RefreshTokenValidity": "The refresh token time limit. After this limit expires, your user can't use their refresh token. To specify the time unit for `RefreshTokenValidity` as `seconds` , `minutes` , `hours` , or `days` , set a `TokenValidityUnits` value in your API request.\n\nFor example, when you set `RefreshTokenValidity` as `10` and `TokenValidityUnits` as `days` , your user can refresh their session\nand retrieve new access and ID tokens for 10 days.\n\nThe default time unit for `RefreshTokenValidity` in an API request is days. You can't set `RefreshTokenValidity` to 0. If you do, Amazon Cognito overrides the value with the default value of 30 days. *Valid range* is displayed below in seconds.\n\nIf you don't specify otherwise in the configuration of your app client, your refresh\ntokens are valid for 30 days.", "SupportedIdentityProviders": "A list of provider names for the identity providers (IdPs) that are supported on this client. The following are supported: `COGNITO` , `Facebook` , `Google` , `SignInWithApple` , and `LoginWithAmazon` . You can also specify the names that you configured for the SAML and OIDC IdPs in your user pool, for example `MySAMLIdP` or `MyOIDCIdP` .\n\nThis parameter sets the IdPs that [managed login](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html) will display on the login page for your app client. The removal of `COGNITO` from this list doesn't prevent authentication operations for local users with the user pools API in an AWS SDK. The only way to prevent SDK-based authentication is to block access with a [AWS WAF rule](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-waf.html) .", "TokenValidityUnits": "The units that validity times are represented in. The default unit for refresh tokens is days, and the default for ID and access tokens are hours.", @@ -9346,6 +9682,10 @@ "RoleArn": "The ARN of an AWS Identity and Access Management role that has the permissions required for Amazon Cognito to publish events to Amazon Pinpoint analytics.", "UserDataShared": "If `UserDataShared` is `true` , Amazon Cognito includes user data in the events that it publishes to Amazon Pinpoint analytics." }, + "AWS::Cognito::UserPoolClient RefreshTokenRotation": { + "Feature": "The state of refresh token rotation for the current app client.", + "RetryGracePeriodSeconds": "When you request a token refresh with `GetTokensFromRefreshToken` , the original refresh token that you're rotating out can remain valid for a period of time of up to 60 seconds. This allows for client-side retries. When `RetryGracePeriodSeconds` is `0` , the grace period is disabled and a successful request immediately invalidates the submitted refresh token." + }, "AWS::Cognito::UserPoolClient TokenValidityUnits": { "AccessToken": "A time unit for the value that you set in the `AccessTokenValidity` parameter. The default `AccessTokenValidity` time unit is `hours` . `AccessTokenValidity` duration can range from five minutes to one day.", "IdToken": "A time unit for the value that you set in the `IdTokenValidity` parameter. The default `IdTokenValidity` time unit is `hours` . `IdTokenValidity` duration can range from five minutes to one day.", @@ -9354,7 +9694,7 @@ "AWS::Cognito::UserPoolDomain": { "CustomDomainConfig": "The configuration for a custom domain that hosts the sign-up and sign-in pages for your application. Use this object to specify an SSL certificate that is managed by ACM.\n\nWhen you create a custom domain, the passkey RP ID defaults to the custom domain. If you had a prefix domain active, this will cause passkey integration for your prefix domain to stop working due to a mismatch in RP ID. To keep the prefix domain passkey integration working, you can explicitly set RP ID to the prefix domain.", "Domain": "The name of the domain that you want to update. For custom domains, this is the fully-qualified domain name, for example `auth.example.com` . For prefix domains, this is the prefix alone, such as `myprefix` .", - "ManagedLoginVersion": "A version number that indicates the state of managed login for your domain. Version `1` is hosted UI (classic). Version `2` is the newer managed login with the branding designer. For more information, see [Managed login](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html) .", + "ManagedLoginVersion": "A version number that indicates the state of managed login for your domain. Version `1` is hosted UI (classic). Version `2` is the newer managed login with the branding editor. For more information, see [Managed login](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html) .", "UserPoolId": "The ID of the user pool that is associated with the domain you're updating." }, "AWS::Cognito::UserPoolDomain CustomDomainConfigType": { @@ -9802,7 +10142,7 @@ "AWS::Connect::EmailAddress": { "Description": "The description of the email address.", "DisplayName": "The display name of email address.", - "EmailAddress": "The email address with the instance, in [^\\s@]+@[^\\s@]+\\.[^\\s@]+ format.", + "EmailAddress": "The email address, including the domain.", "InstanceArn": "The Amazon Resource Name (ARN) of the instance.", "Tags": "An array of key-value pairs to apply to this resource." }, @@ -10975,7 +11315,7 @@ "RetainRule": "Information about the retention period for the snapshot archiving rule." }, "AWS::DLM::LifecyclePolicy CreateRule": { - "CronExpression": "The schedule, as a Cron expression. The schedule interval must be between 1 hour and 1 year. For more information, see the [Cron expressions reference](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-cron-expressions.html) in the *Amazon EventBridge User Guide* .", + "CronExpression": "The schedule, as a Cron expression. The schedule interval must be between 1 hour and 1 year. For more information, see the [Cron and rate expressions](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-scheduled-rule-pattern.html) in the *Amazon EventBridge User Guide* .", "Interval": "The interval between snapshots. The supported values are 1, 2, 3, 4, 6, 8, 12, and 24.", "IntervalUnit": "The interval unit.", "Location": "*[Custom snapshot policies only]* Specifies the destination for snapshots created by the policy. The allowed destinations depend on the location of the targeted resources.\n\n- If the policy targets resources in a Region, then you must create snapshots in the same Region as the source resource.\n- If the policy targets resources in a Local Zone, you can create snapshots in the same Local Zone or in its parent Region.\n- If the policy targets resources on an Outpost, then you can create snapshots on the same Outpost or in its parent Region.\n\nSpecify one of the following values:\n\n- To create snapshots in the same Region as the source resource, specify `CLOUD` .\n- To create snapshots in the same Local Zone as the source resource, specify `LOCAL_ZONE` .\n- To create snapshots on the same Outpost as the source resource, specify `OUTPOST_LOCAL` .\n\nDefault: `CLOUD`", @@ -11665,6 +12005,19 @@ "Key": "A key is the required name of the tag. The string value can be 1-128 Unicode characters in length and can't be prefixed with \"aws:\" or \"dms:\". The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', '/', '=', '+', '-' (Java regular expressions: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-]*)$\").", "Value": "A value is the optional value of the tag. The string value can be 1-256 Unicode characters in length and can't be prefixed with \"aws:\" or \"dms:\". The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', '/', '=', '+', '-' (Java regular expressions: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-]*)$\")." }, + "AWS::DSQL::Cluster": { + "DeletionProtectionEnabled": "Whether deletion protection is enabled on this cluster.", + "MultiRegionProperties": "Defines the structure for multi-Region cluster configurations, containing the witness Region and peered cluster settings.", + "Tags": "A map of key and value pairs this cluster is tagged with." + }, + "AWS::DSQL::Cluster MultiRegionProperties": { + "Clusters": "The set of peered clusters that form the multi-Region cluster configuration. Each peered cluster represents a database instance in a different Region.", + "WitnessRegion": "The Region that serves as the witness Region for a multi-Region cluster. The witness Region helps maintain cluster consistency and quorum." + }, + "AWS::DSQL::Cluster Tag": { + "Key": "Unique tag key, maximum 128 Unicode characters in UTF-8.", + "Value": "Tag value, maximum 256 Unicode characters in UTF-8." + }, "AWS::DataBrew::Dataset": { "Format": "The file format of a dataset that is created from an Amazon S3 file or folder.", "FormatOptions": "A set of options that define how DataBrew interprets the data in the dataset.", @@ -12116,22 +12469,35 @@ "VpcEndpointId": "The ID of the virtual private cloud (VPC) endpoint that the agent has access to. This is the client-side VPC endpoint, powered by AWS PrivateLink . If you don't have an AWS PrivateLink VPC endpoint, see [AWS PrivateLink and VPC endpoints](https://docs.aws.amazon.com//vpc/latest/userguide/endpoint-services-overview.html) in the *Amazon VPC User Guide* .\n\nFor more information about activating your agent in a private network based on a VPC, see [Using AWS DataSync in a Virtual Private Cloud](https://docs.aws.amazon.com/datasync/latest/userguide/datasync-in-vpc.html) in the *AWS DataSync User Guide.*\n\nA VPC endpoint ID looks like this: `vpce-01234d5aff67890e1` ." }, "AWS::DataSync::Agent Tag": { - "Key": "The key for an AWS resource tag.", - "Value": "The value for an AWS resource tag." + "Key": "", + "Value": "" }, "AWS::DataSync::LocationAzureBlob": { - "AgentArns": "Specifies the Amazon Resource Name (ARN) of the DataSync agent that can connect with your Azure Blob Storage container.\n\nYou can specify more than one agent. For more information, see [Using multiple agents for your transfer](https://docs.aws.amazon.com/datasync/latest/userguide/multiple-agents.html) .", + "AgentArns": "(Optional) Specifies the Amazon Resource Name (ARN) of the DataSync agent that can connect with your Azure Blob Storage container. If you are setting up an agentless cross-cloud transfer, you do not need to specify a value for this parameter.\n\nYou can specify more than one agent. For more information, see [Using multiple agents for your transfer](https://docs.aws.amazon.com/datasync/latest/userguide/multiple-agents.html) .\n\n> Make sure you configure this parameter correctly when you first create your storage location. You cannot add or remove agents from a storage location after you create it.", "AzureAccessTier": "Specifies the access tier that you want your objects or files transferred into. This only applies when using the location as a transfer destination. For more information, see [Access tiers](https://docs.aws.amazon.com/datasync/latest/userguide/creating-azure-blob-location.html#azure-blob-access-tiers) .", "AzureBlobAuthenticationType": "Specifies the authentication method DataSync uses to access your Azure Blob Storage. DataSync can access blob storage using a shared access signature (SAS).", "AzureBlobContainerUrl": "Specifies the URL of the Azure Blob Storage container involved in your transfer.", - "AzureBlobSasConfiguration": "Specifies the SAS configuration that allows DataSync to access your Azure Blob Storage.", + "AzureBlobSasConfiguration": "Specifies the SAS configuration that allows DataSync to access your Azure Blob Storage.\n\n> If you provide an authentication token using `SasConfiguration` , but do not provide secret configuration details using `CmkSecretConfig` or `CustomSecretConfig` , then DataSync stores the token using your AWS account's secrets manager secret.", "AzureBlobType": "Specifies the type of blob that you want your objects or files to be when transferring them into Azure Blob Storage. Currently, DataSync only supports moving data into Azure Blob Storage as block blobs. For more information on blob types, see the [Azure Blob Storage documentation](https://docs.aws.amazon.com/https://learn.microsoft.com/en-us/rest/api/storageservices/understanding-block-blobs--append-blobs--and-page-blobs) .", + "CmkSecretConfig": "Specifies configuration information for a DataSync-managed secret, such as an authentication token or secret key that DataSync uses to access a specific storage location, with a customer-managed AWS KMS key .\n\n> You can use either `CmkSecretConfig` or `CustomSecretConfig` to provide credentials for a `CreateLocation` request. Do not provide both parameters for the same request.", + "CustomSecretConfig": "Specifies configuration information for a customer-managed Secrets Manager secret where a storage location authentication token or secret key is stored in plain text. This configuration includes the secret ARN, and the ARN for an IAM role that provides access to the secret.\n\n> You can use either `CmkSecretConfig` or `CustomSecretConfig` to provide credentials for a `CreateLocation` request. Do not provide both parameters for the same request.", "Subdirectory": "Specifies path segments if you want to limit your transfer to a virtual directory in your container (for example, `/my/images` ).", "Tags": "Specifies labels that help you categorize, filter, and search for your AWS resources. We recommend creating at least a name tag for your transfer location." }, "AWS::DataSync::LocationAzureBlob AzureBlobSasConfiguration": { "AzureBlobSasToken": "Specifies a SAS token that provides permissions to access your Azure Blob Storage.\n\nThe token is part of the SAS URI string that comes after the storage resource URI and a question mark. A token looks something like this:\n\n`sp=r&st=2023-12-20T14:54:52Z&se=2023-12-20T22:54:52Z&spr=https&sv=2021-06-08&sr=c&sig=aBBKDWQvyuVcTPH9EBp%2FXTI9E%2F%2Fmq171%2BZU178wcwqU%3D`" }, + "AWS::DataSync::LocationAzureBlob CmkSecretConfig": { + "KmsKeyArn": "Specifies the ARN for the customer-managed AWS KMS key that DataSync uses to encrypt the DataSync-managed secret stored for `SecretArn` . DataSync provides this key to AWS Secrets Manager .", + "SecretArn": "Specifies the ARN for the DataSync-managed AWS Secrets Manager secret that that is used to access a specific storage location. This property is generated by DataSync and is read-only. DataSync encrypts this secret with the KMS key that you specify for `KmsKeyArn` ." + }, + "AWS::DataSync::LocationAzureBlob CustomSecretConfig": { + "SecretAccessRoleArn": "Specifies the ARN for the AWS Identity and Access Management role that DataSync uses to access the secret specified for `SecretArn` .", + "SecretArn": "Specifies the ARN for an AWS Secrets Manager secret." + }, + "AWS::DataSync::LocationAzureBlob ManagedSecretConfig": { + "SecretArn": "Specifies the ARN for an AWS Secrets Manager secret." + }, "AWS::DataSync::LocationAzureBlob Tag": { "Key": "The key for an AWS resource tag.", "Value": "The value for an AWS resource tag." @@ -12150,8 +12516,8 @@ "SubnetArn": "Specifies the ARN of a subnet where DataSync creates the [network interfaces](https://docs.aws.amazon.com/datasync/latest/userguide/datasync-network.html#required-network-interfaces) for managing traffic during your transfer.\n\nThe subnet must be located:\n\n- In the same virtual private cloud (VPC) as the Amazon EFS file system.\n- In the same Availability Zone as at least one mount target for the Amazon EFS file system.\n\n> You don't need to specify a subnet that includes a file system mount target." }, "AWS::DataSync::LocationEFS Tag": { - "Key": "The key for an AWS resource tag.", - "Value": "The value for an AWS resource tag." + "Key": "", + "Value": "" }, "AWS::DataSync::LocationFSxLustre": { "FsxFilesystemArn": "Specifies the Amazon Resource Name (ARN) of the FSx for Lustre file system.", @@ -12160,8 +12526,8 @@ "Tags": "Specifies labels that help you categorize, filter, and search for your AWS resources. We recommend creating at least a name tag for your location." }, "AWS::DataSync::LocationFSxLustre Tag": { - "Key": "The key for an AWS resource tag.", - "Value": "The value for an AWS resource tag." + "Key": "", + "Value": "" }, "AWS::DataSync::LocationFSxONTAP": { "Protocol": "Specifies the data transfer protocol that DataSync uses to access your Amazon FSx file system.", @@ -12190,8 +12556,8 @@ "Version": "By default, DataSync automatically chooses an SMB protocol version based on negotiation with your SMB file server. You also can configure DataSync to use a specific SMB version, but we recommend doing this only if DataSync has trouble negotiating with the SMB file server automatically.\n\nThese are the following options for configuring the SMB version:\n\n- `AUTOMATIC` (default): DataSync and the SMB file server negotiate the highest version of SMB that they mutually support between 2.1 and 3.1.1.\n\nThis is the recommended option. If you instead choose a specific version that your file server doesn't support, you may get an `Operation Not Supported` error.\n- `SMB3` : Restricts the protocol negotiation to only SMB version 3.0.2.\n- `SMB2` : Restricts the protocol negotiation to only SMB version 2.1.\n- `SMB2_0` : Restricts the protocol negotiation to only SMB version 2.0.\n- `SMB1` : Restricts the protocol negotiation to only SMB version 1.0.\n\n> The `SMB1` option isn't available when [creating an Amazon FSx for NetApp ONTAP location](https://docs.aws.amazon.com/datasync/latest/userguide/API_CreateLocationFsxOntap.html) ." }, "AWS::DataSync::LocationFSxONTAP Tag": { - "Key": "The key for an AWS resource tag.", - "Value": "The value for an AWS resource tag." + "Key": "", + "Value": "" }, "AWS::DataSync::LocationFSxOpenZFS": { "FsxFilesystemArn": "The Amazon Resource Name (ARN) of the FSx for OpenZFS file system.", @@ -12210,8 +12576,8 @@ "NFS": "Represents the Network File System (NFS) protocol that DataSync uses to access your FSx for OpenZFS file system." }, "AWS::DataSync::LocationFSxOpenZFS Tag": { - "Key": "The key for an AWS resource tag.", - "Value": "The value for an AWS resource tag." + "Key": "", + "Value": "" }, "AWS::DataSync::LocationFSxWindows": { "Domain": "Specifies the name of the Windows domain that the FSx for Windows File Server file system belongs to.\n\nIf you have multiple Active Directory domains in your environment, configuring this parameter makes sure that DataSync connects to the right file system.", @@ -12223,8 +12589,8 @@ "User": "The user who has the permissions to access files and folders in the FSx for Windows File Server file system.\n\nFor information about choosing a user name that ensures sufficient permissions to files, folders, and metadata, see [user](https://docs.aws.amazon.com/datasync/latest/userguide/create-fsx-location.html#FSxWuser) ." }, "AWS::DataSync::LocationFSxWindows Tag": { - "Key": "The key for an AWS resource tag.", - "Value": "The value for an AWS resource tag." + "Key": "", + "Value": "" }, "AWS::DataSync::LocationHDFS": { "AgentArns": "The Amazon Resource Names (ARNs) of the DataSync agents that can connect to your HDFS cluster.", @@ -12250,8 +12616,8 @@ "RpcProtection": "The Remote Procedure Call (RPC) protection setting configured on the HDFS cluster. This setting corresponds to your `hadoop.rpc.protection` setting in your `core-site.xml` file on your Hadoop cluster." }, "AWS::DataSync::LocationHDFS Tag": { - "Key": "The key for an AWS resource tag.", - "Value": "The value for an AWS resource tag." + "Key": "", + "Value": "" }, "AWS::DataSync::LocationNFS": { "MountOptions": "Specifies the options that DataSync can use to mount your NFS file server.", @@ -12267,21 +12633,34 @@ "AgentArns": "The Amazon Resource Names (ARNs) of the DataSync agents that can connect to your NFS file server.\n\nYou can specify more than one agent. For more information, see [Using multiple DataSync agents](https://docs.aws.amazon.com/datasync/latest/userguide/do-i-need-datasync-agent.html#multiple-agents) ." }, "AWS::DataSync::LocationNFS Tag": { - "Key": "The key for an AWS resource tag.", - "Value": "The value for an AWS resource tag." + "Key": "", + "Value": "" }, "AWS::DataSync::LocationObjectStorage": { "AccessKey": "Specifies the access key (for example, a user name) if credentials are required to authenticate with the object storage server.", - "AgentArns": "Specifies the Amazon Resource Names (ARNs) of the DataSync agents that can connect with your object storage system.", + "AgentArns": "(Optional) Specifies the Amazon Resource Names (ARNs) of the DataSync agents that can connect with your object storage system. If you are setting up an agentless cross-cloud transfer, you do not need to specify a value for this parameter.\n\n> Make sure you configure this parameter correctly when you first create your storage location. You cannot add or remove agents from a storage location after you create it.", "BucketName": "Specifies the name of the object storage bucket involved in the transfer.", - "SecretKey": "Specifies the secret key (for example, a password) if credentials are required to authenticate with the object storage server.", + "CmkSecretConfig": "Specifies configuration information for a DataSync-managed secret, which includes the `SecretKey` that DataSync uses to access a specific object storage location, with a customer-managed AWS KMS key .\n\nWhen you include this paramater as part of a `CreateLocationObjectStorage` request, you provide only the KMS key ARN. DataSync uses this KMS key together with the value you specify for the `SecretKey` parameter to create a DataSync-managed secret to store the location access credentials.\n\nMake sure the DataSync has permission to access the KMS key that you specify.\n\n> You can use either `CmkSecretConfig` (with `SecretKey` ) or `CustomSecretConfig` (without `SecretKey` ) to provide credentials for a `CreateLocationObjectStorage` request. Do not provide both parameters for the same request.", + "CustomSecretConfig": "Specifies configuration information for a customer-managed Secrets Manager secret where the secret key for a specific object storage location is stored in plain text. This configuration includes the secret ARN, and the ARN for an IAM role that provides access to the secret.\n\n> You can use either `CmkSecretConfig` (with `SecretKey` ) or `CustomSecretConfig` (without `SecretKey` ) to provide credentials for a `CreateLocationObjectStorage` request. Do not provide both parameters for the same request.", + "SecretKey": "Specifies the secret key (for example, a password) if credentials are required to authenticate with the object storage server.\n\n> If you provide a secret using `SecretKey` , but do not provide secret configuration details using `CmkSecretConfig` or `CustomSecretConfig` , then DataSync stores the token using your AWS account's Secrets Manager secret.", "ServerCertificate": "Specifies a certificate chain for DataSync to authenticate with your object storage system if the system uses a private or self-signed certificate authority (CA). You must specify a single `.pem` file with a full certificate chain (for example, `file:///home/user/.ssh/object_storage_certificates.pem` ).\n\nThe certificate chain might include:\n\n- The object storage system's certificate\n- All intermediate certificates (if there are any)\n- The root certificate of the signing CA\n\nYou can concatenate your certificates into a `.pem` file (which can be up to 32768 bytes before base64 encoding). The following example `cat` command creates an `object_storage_certificates.pem` file that includes three certificates:\n\n`cat object_server_certificate.pem intermediate_certificate.pem ca_root_certificate.pem > object_storage_certificates.pem`\n\nTo use this parameter, configure `ServerProtocol` to `HTTPS` .", "ServerHostname": "Specifies the domain name or IP version 4 (IPv4) address of the object storage server that your DataSync agent connects to.", "ServerPort": "Specifies the port that your object storage server accepts inbound network traffic on (for example, port 443).", - "ServerProtocol": "Specifies the protocol that your object storage server uses to communicate.", + "ServerProtocol": "Specifies the protocol that your object storage server uses to communicate. If not specified, the default value is `HTTPS` .", "Subdirectory": "Specifies the object prefix for your object storage server. If this is a source location, DataSync only copies objects with this prefix. If this is a destination location, DataSync writes all objects with this prefix.", "Tags": "Specifies the key-value pair that represents a tag that you want to add to the resource. Tags can help you manage, filter, and search for your resources. We recommend creating a name tag for your location." }, + "AWS::DataSync::LocationObjectStorage CmkSecretConfig": { + "KmsKeyArn": "Specifies the ARN for the customer-managed AWS KMS key that DataSync uses to encrypt the DataSync-managed secret stored for `SecretArn` . DataSync provides this key to AWS Secrets Manager .", + "SecretArn": "Specifies the ARN for the DataSync-managed AWS Secrets Manager secret that that is used to access a specific storage location. This property is generated by DataSync and is read-only. DataSync encrypts this secret with the KMS key that you specify for `KmsKeyArn` ." + }, + "AWS::DataSync::LocationObjectStorage CustomSecretConfig": { + "SecretAccessRoleArn": "Specifies the ARN for the AWS Identity and Access Management role that DataSync uses to access the secret specified for `SecretArn` .", + "SecretArn": "Specifies the ARN for an AWS Secrets Manager secret." + }, + "AWS::DataSync::LocationObjectStorage ManagedSecretConfig": { + "SecretArn": "Specifies the ARN for an AWS Secrets Manager secret." + }, "AWS::DataSync::LocationObjectStorage Tag": { "Key": "The key for an AWS resource tag.", "Value": "The value for an AWS resource tag." @@ -12297,17 +12676,17 @@ "BucketAccessRoleArn": "Specifies the ARN of the IAM role that DataSync uses to access your S3 bucket." }, "AWS::DataSync::LocationS3 Tag": { - "Key": "The key for an AWS resource tag.", - "Value": "The value for an AWS resource tag." + "Key": "", + "Value": "" }, "AWS::DataSync::LocationSMB": { "AgentArns": "Specifies the DataSync agent (or agents) that can connect to your SMB file server. You specify an agent by using its Amazon Resource Name (ARN).", - "AuthenticationType": "Specifies the authentication protocol that DataSync uses to connect to your SMB file server. DataSync supports `NTLM` (default) and `KERBEROS` authentication.\n\nFor more information, see [Providing DataSync access to SMB file servers](https://docs.aws.amazon.com/datasync/latest/userguide/create-smb-location.html#configuring-smb-permissions) .", - "DnsIpAddresses": "Specifies the IPv4 addresses for the DNS servers that your SMB file server belongs to. This parameter applies only if `AuthenticationType` is set to `KERBEROS` .\n\nIf you have multiple domains in your environment, configuring this parameter makes sure that DataSync connects to the right SMB file server.", + "AuthenticationType": "", + "DnsIpAddresses": "", "Domain": "Specifies the Windows domain name that your SMB file server belongs to. This parameter applies only if `AuthenticationType` is set to `NTLM` .\n\nIf you have multiple domains in your environment, configuring this parameter makes sure that DataSync connects to the right file server.", - "KerberosKeytab": "Specifies your Kerberos key table (keytab) file, which includes mappings between your Kerberos principal and encryption keys.\n\nThe file must be base64 encoded.\n\nTo avoid task execution errors, make sure that the Kerberos principal that you use to create the keytab file matches exactly what you specify for `KerberosPrincipal` .", - "KerberosKrb5Conf": "Specifies a Kerberos configuration file ( `krb5.conf` ) that defines your Kerberos realm configuration.\n\nThe file must be base64 encoded.", - "KerberosPrincipal": "Specifies a Kerberos prinicpal, which is an identity in your Kerberos realm that has permission to access the files, folders, and file metadata in your SMB file server.\n\nA Kerberos principal might look like `HOST/kerberosuser@MYDOMAIN.ORG` .\n\nPrincipal names are case sensitive. Your DataSync task execution will fail if the principal that you specify for this parameter doesn\u2019t exactly match the principal that you use to create the keytab file.", + "KerberosKeytab": "", + "KerberosKrb5Conf": "", + "KerberosPrincipal": "", "MountOptions": "Specifies the version of the SMB protocol that DataSync uses to access your SMB file server.", "Password": "Specifies the password of the user who can mount your SMB file server and has permission to access the files and folders involved in your transfer. This parameter applies only if `AuthenticationType` is set to `NTLM` .", "ServerHostname": "Specifies the domain name or IP address of the SMB file server that your DataSync agent connects to.\n\nRemember the following when configuring this parameter:\n\n- You can't specify an IP version 6 (IPv6) address.\n- If you're using Kerberos authentication, you must specify a domain name.", @@ -12319,29 +12698,8 @@ "Version": "By default, DataSync automatically chooses an SMB protocol version based on negotiation with your SMB file server. You also can configure DataSync to use a specific SMB version, but we recommend doing this only if DataSync has trouble negotiating with the SMB file server automatically.\n\nThese are the following options for configuring the SMB version:\n\n- `AUTOMATIC` (default): DataSync and the SMB file server negotiate the highest version of SMB that they mutually support between 2.1 and 3.1.1.\n\nThis is the recommended option. If you instead choose a specific version that your file server doesn't support, you may get an `Operation Not Supported` error.\n- `SMB3` : Restricts the protocol negotiation to only SMB version 3.0.2.\n- `SMB2` : Restricts the protocol negotiation to only SMB version 2.1.\n- `SMB2_0` : Restricts the protocol negotiation to only SMB version 2.0.\n- `SMB1` : Restricts the protocol negotiation to only SMB version 1.0.\n\n> The `SMB1` option isn't available when [creating an Amazon FSx for NetApp ONTAP location](https://docs.aws.amazon.com/datasync/latest/userguide/API_CreateLocationFsxOntap.html) ." }, "AWS::DataSync::LocationSMB Tag": { - "Key": "The key for an AWS resource tag.", - "Value": "The value for an AWS resource tag." - }, - "AWS::DataSync::StorageSystem": { - "AgentArns": "Specifies the Amazon Resource Name (ARN) of the DataSync agent that connects to and reads from your on-premises storage system's management interface. You can only specify one ARN.", - "CloudWatchLogGroupArn": "Specifies the ARN of the Amazon CloudWatch log group for monitoring and logging discovery job events.", - "Name": "Specifies a familiar name for your on-premises storage system.", - "ServerConfiguration": "Specifies the server name and network port required to connect with the management interface of your on-premises storage system.", - "ServerCredentials": "Specifies the user name and password for accessing your on-premises storage system's management interface.", - "SystemType": "Specifies the type of on-premises storage system that you want DataSync Discovery to collect information about.\n\n> DataSync Discovery currently supports NetApp Fabric-Attached Storage (FAS) and All Flash FAS (AFF) systems running ONTAP 9.7 or later.", - "Tags": "Specifies labels that help you categorize, filter, and search for your AWS resources. We recommend creating at least a name tag for your on-premises storage system." - }, - "AWS::DataSync::StorageSystem ServerConfiguration": { - "ServerHostname": "The domain name or IP address of your storage system's management interface.", - "ServerPort": "The network port for accessing the storage system's management interface." - }, - "AWS::DataSync::StorageSystem ServerCredentials": { - "Password": "Specifies the password for your storage system's management interface.", - "Username": "Specifies the user name for your storage system's management interface." - }, - "AWS::DataSync::StorageSystem Tag": { - "Key": "The key for an AWS resource tag.", - "Value": "The value for an AWS resource tag." + "Key": "", + "Value": "" }, "AWS::DataSync::Task": { "CloudWatchLogGroupArn": "Specifies the Amazon Resource Name (ARN) of an Amazon CloudWatch log group for monitoring your task.\n\nFor Enhanced mode tasks, you don't need to specify anything. DataSync automatically sends logs to a CloudWatch log group named `/aws/datasync` .\n\nFor more information, see [Monitoring data transfers with CloudWatch Logs](https://docs.aws.amazon.com/datasync/latest/userguide/configure-logging.html) .", @@ -12354,14 +12712,14 @@ "Schedule": "Specifies a schedule for when you want your task to run. For more information, see [Scheduling your task](https://docs.aws.amazon.com/datasync/latest/userguide/task-scheduling.html) .", "SourceLocationArn": "Specifies the ARN of your transfer's source location.", "Tags": "Specifies the tags that you want to apply to your task.\n\n*Tags* are key-value pairs that help you manage, filter, and search for your DataSync resources.", - "TaskMode": "Specifies one of the following task modes for your data transfer:\n\n- `ENHANCED` - Transfer virtually unlimited numbers of objects with higher performance than Basic mode. Enhanced mode tasks optimize the data transfer process by listing, preparing, transferring, and verifying data in parallel. Enhanced mode is currently available for transfers between Amazon S3 locations.\n\n> To create an Enhanced mode task, the IAM role that you use to call the `CreateTask` operation must have the `iam:CreateServiceLinkedRole` permission.\n- `BASIC` (default) - Transfer files or objects between AWS storage and all other supported DataSync locations. Basic mode tasks are subject to [quotas](https://docs.aws.amazon.com/datasync/latest/userguide/datasync-limits.html) on the number of files, objects, and directories in a dataset. Basic mode sequentially prepares, transfers, and verifies data, making it slower than Enhanced mode for most workloads.\n\nFor more information, see [Understanding task mode differences](https://docs.aws.amazon.com/datasync/latest/userguide/choosing-task-mode.html#task-mode-differences) .", - "TaskReportConfig": "Specifies how you want to configure a task report, which provides detailed information about your DataSync transfer. For more information, see [Monitoring your DataSync transfers with task reports](https://docs.aws.amazon.com/datasync/latest/userguide/task-reports.html) .\n\nWhen using this parameter, your caller identity (the role that you're using DataSync with) must have the `iam:PassRole` permission. The [AWSDataSyncFullAccess](https://docs.aws.amazon.com/datasync/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-awsdatasyncfullaccess) policy includes this permission." + "TaskMode": "The task mode that you're using. For more information, see [Choosing a task mode for your data transfer](https://docs.aws.amazon.com/datasync/latest/userguide/choosing-task-mode.html) .", + "TaskReportConfig": "The configuration of your task report, which provides detailed information about your DataSync transfer. For more information, see [Monitoring your DataSync transfers with task reports](https://docs.aws.amazon.com/datasync/latest/userguide/task-reports.html) ." }, "AWS::DataSync::Task Deleted": { - "ReportLevel": "Specifies whether you want your task report to include only what went wrong with your transfer or a list of what succeeded and didn't.\n\n- `ERRORS_ONLY` : A report shows what DataSync was unable to delete.\n- `SUCCESSES_AND_ERRORS` : A report shows what DataSync was able and unable to delete." + "ReportLevel": "" }, "AWS::DataSync::Task Destination": { - "S3": "Specifies the Amazon S3 bucket where DataSync uploads your task report." + "S3": "" }, "AWS::DataSync::Task FilterRule": { "FilterType": "The type of filter rule to apply. AWS DataSync only supports the SIMPLE_PATTERN rule type.", @@ -12373,10 +12731,10 @@ "Source": "Specifies the manifest that you want DataSync to use and where it's hosted.\n\n> You must specify this parameter if you're configuring a new manifest on or after February 7, 2024.\n> \n> If you don't, you'll get a 400 status code and `ValidationException` error stating that you're missing the IAM role for DataSync to access the S3 bucket where you're hosting your manifest. For more information, see [Providing DataSync access to your manifest](https://docs.aws.amazon.com/datasync/latest/userguide/transferring-with-manifest.html#transferring-with-manifest-access) ." }, "AWS::DataSync::Task ManifestConfigSourceS3": { - "BucketAccessRoleArn": "Specifies the AWS Identity and Access Management (IAM) role that allows DataSync to access your manifest. For more information, see [Providing DataSync access to your manifest](https://docs.aws.amazon.com/datasync/latest/userguide/transferring-with-manifest.html#transferring-with-manifest-access) .", - "ManifestObjectPath": "Specifies the Amazon S3 object key of your manifest. This can include a prefix (for example, `prefix/my-manifest.csv` ).", - "ManifestObjectVersionId": "Specifies the object version ID of the manifest that you want DataSync to use. If you don't set this, DataSync uses the latest version of the object.", - "S3BucketArn": "Specifies the Amazon Resource Name (ARN) of the S3 bucket where you're hosting your manifest." + "BucketAccessRoleArn": "", + "ManifestObjectPath": "", + "ManifestObjectVersionId": "", + "S3BucketArn": "" }, "AWS::DataSync::Task Options": { "Atime": "A file metadata value that shows the last time that a file was accessed (that is, when the file was read or written to). If you set `Atime` to `BEST_EFFORT` , AWS DataSync attempts to preserve the original `Atime` attribute on all source files (that is, the version before the PREPARING phase). However, `Atime` 's behavior is not fully standard across platforms, so AWS DataSync can only do this on a best-effort basis.\n\nDefault value: `BEST_EFFORT`\n\n`BEST_EFFORT` : Attempt to preserve the per-file `Atime` value (recommended).\n\n`NONE` : Ignore `Atime` .\n\n> If `Atime` is set to `BEST_EFFORT` , `Mtime` must be set to `PRESERVE` .\n> \n> If `Atime` is set to `NONE` , `Mtime` must also be `NONE` .", @@ -12396,20 +12754,20 @@ "VerifyMode": "A value that determines whether a data integrity verification is performed at the end of a task execution after all data and metadata have been transferred. For more information, see [Configure task settings](https://docs.aws.amazon.com/datasync/latest/userguide/create-task.html) .\n\nDefault value: `POINT_IN_TIME_CONSISTENT`\n\n`ONLY_FILES_TRANSFERRED` (recommended): Perform verification only on files that were transferred.\n\n`POINT_IN_TIME_CONSISTENT` : Scan the entire source and entire destination at the end of the transfer to verify that the source and destination are fully synchronized. This option isn't supported when transferring to S3 Glacier or S3 Glacier Deep Archive storage classes.\n\n`NONE` : No additional verification is done at the end of the transfer, but all data transmissions are integrity-checked with checksum verification during the transfer." }, "AWS::DataSync::Task Overrides": { - "Deleted": "Specifies the level of reporting for the files, objects, and directories that DataSync attempted to delete in your destination location. This only applies if you [configure your task](https://docs.aws.amazon.com/datasync/latest/userguide/configure-metadata.html) to delete data in the destination that isn't in the source.", - "Skipped": "Specifies the level of reporting for the files, objects, and directories that DataSync attempted to skip during your transfer.", - "Transferred": "Specifies the level of reporting for the files, objects, and directories that DataSync attempted to transfer.", - "Verified": "Specifies the level of reporting for the files, objects, and directories that DataSync attempted to verify during your transfer." + "Deleted": "", + "Skipped": "", + "Transferred": "", + "Verified": "" }, "AWS::DataSync::Task Skipped": { - "ReportLevel": "Specifies whether you want your task report to include only what went wrong with your transfer or a list of what succeeded and didn't.\n\n- `ERRORS_ONLY` : A report shows what DataSync was unable to skip.\n- `SUCCESSES_AND_ERRORS` : A report shows what DataSync was able and unable to skip." + "ReportLevel": "" }, "AWS::DataSync::Task Source": { - "S3": "Specifies the S3 bucket where you're hosting your manifest." + "S3": "" }, "AWS::DataSync::Task Tag": { - "Key": "The key for an AWS resource tag.", - "Value": "The value for an AWS resource tag." + "Key": "", + "Value": "" }, "AWS::DataSync::Task TaskReportConfig": { "Destination": "Specifies the Amazon S3 bucket where DataSync uploads your task report. For more information, see [Task reports](https://docs.aws.amazon.com/datasync/latest/userguide/task-reports.html#task-report-access) .", @@ -12419,19 +12777,19 @@ "ReportLevel": "Specifies whether you want your task report to include only what went wrong with your transfer or a list of what succeeded and didn't.\n\n- `ERRORS_ONLY` : A report shows what DataSync was unable to transfer, skip, verify, and delete.\n- `SUCCESSES_AND_ERRORS` : A report shows what DataSync was able and unable to transfer, skip, verify, and delete." }, "AWS::DataSync::Task TaskReportConfigDestinationS3": { - "BucketAccessRoleArn": "Specifies the Amazon Resource Name (ARN) of the IAM policy that allows DataSync to upload a task report to your S3 bucket. For more information, see [Allowing DataSync to upload a task report to an Amazon S3 bucket](https://docs.aws.amazon.com/datasync/latest/userguide/task-reports.html) .", - "S3BucketArn": "Specifies the ARN of the S3 bucket where DataSync uploads your report.", - "Subdirectory": "Specifies a bucket prefix for your report." + "BucketAccessRoleArn": "", + "S3BucketArn": "", + "Subdirectory": "" }, "AWS::DataSync::Task TaskSchedule": { "ScheduleExpression": "Specifies your task schedule by using a cron or rate expression.\n\nUse cron expressions for task schedules that run on a specific time and day. For example, the following cron expression creates a task schedule that runs at 8 AM on the first Wednesday of every month:\n\n`cron(0 8 * * 3#1)`\n\nUse rate expressions for task schedules that run on a regular interval. For example, the following rate expression creates a task schedule that runs every 12 hours:\n\n`rate(12 hours)`\n\nFor information about cron and rate expression syntax, see the [*Amazon EventBridge User Guide*](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-scheduled-rule-pattern.html) .", - "Status": "Specifies whether to enable or disable your task schedule. Your schedule is enabled by default, but there can be situations where you need to disable it. For example, you might need to perform maintenance on a storage system before you can begin a recurring DataSync transfer.\n\nDataSync might disable your schedule automatically if your task fails repeatedly with the same error. For more information, see the [*DataSync User Guide*](https://docs.aws.amazon.com/datasync/latest/userguide/task-scheduling.html#pause-task-schedule) ." + "Status": "Specifies whether to enable or disable your task schedule. Your schedule is enabled by default, but there can be situations where you need to disable it. For example, you might need to pause a recurring transfer to fix an issue with your task or perform maintenance on your storage system.\n\nDataSync might disable your schedule automatically if your task fails repeatedly with the same error. For more information, see [TaskScheduleDetails](https://docs.aws.amazon.com/datasync/latest/userguide/API_TaskScheduleDetails.html) ." }, "AWS::DataSync::Task Transferred": { - "ReportLevel": "Specifies whether you want your task report to include only what went wrong with your transfer or a list of what succeeded and didn't.\n\n- `ERRORS_ONLY` : A report shows what DataSync was unable to transfer.\n- `SUCCESSES_AND_ERRORS` : A report shows what DataSync was able and unable to transfer." + "ReportLevel": "" }, "AWS::DataSync::Task Verified": { - "ReportLevel": "Specifies whether you want your task report to include only what went wrong with your transfer or a list of what succeeded and didn't.\n\n- `ERRORS_ONLY` : A report shows what DataSync was unable to verify.\n- `SUCCESSES_AND_ERRORS` : A report shows what DataSync was able and unable to verify." + "ReportLevel": "" }, "AWS::DataZone::Connection": { "AwsLocation": "The location where the connection is created.", @@ -12647,12 +13005,12 @@ "DomainVersion": "The domain version.", "KmsKeyIdentifier": "The identifier of the AWS Key Management Service (KMS) key that is used to encrypt the Amazon DataZone domain, metadata, and reporting data.", "Name": "The name of the Amazon DataZone domain.", - "ServiceRole": "", + "ServiceRole": "The service role of the domain.", "SingleSignOn": "The single sign-on details in Amazon DataZone.", "Tags": "The tags specified for the Amazon DataZone domain." }, "AWS::DataZone::Domain SingleSignOn": { - "IdcInstanceArn": "", + "IdcInstanceArn": "The ARN of the IDC instance.", "Type": "The type of single sign-on in Amazon DataZone.", "UserAssignment": "The single sign-on user assignment in Amazon DataZone." }, @@ -12660,6 +13018,12 @@ "Key": "The tag key.", "Value": "The tag value." }, + "AWS::DataZone::DomainUnit": { + "Description": "The description of the domain unit.", + "DomainIdentifier": "The ID of the domain where you want to crate a domain unit.", + "Name": "The name of the domain unit.", + "ParentDomainUnitIdentifier": "The ID of the parent domain unit." + }, "AWS::DataZone::Environment": { "Description": "The description of the environment.", "DomainIdentifier": "The identifier of the Amazon DataZone domain in which the environment is created.", @@ -12691,10 +13055,19 @@ "DomainIdentifier": "The identifier of the Amazon DataZone domain in which an environment blueprint exists.", "EnabledRegions": "The enabled AWS Regions specified in a blueprint configuration.", "EnvironmentBlueprintIdentifier": "The identifier of the environment blueprint.\n\nIn the current release, only the following values are supported: `DefaultDataLake` and `DefaultDataWarehouse` .", + "EnvironmentRolePermissionBoundary": "The environment role permission boundary.", "ManageAccessRoleArn": "The ARN of the manage access role.", + "ProvisioningConfigurations": "The provisioning configuration of a blueprint.", "ProvisioningRoleArn": "The ARN of the provisioning role.", "RegionalParameters": "The regional parameters of the environment blueprint." }, + "AWS::DataZone::EnvironmentBlueprintConfiguration LakeFormationConfiguration": { + "LocationRegistrationExcludeS3Locations": "", + "LocationRegistrationRole": "" + }, + "AWS::DataZone::EnvironmentBlueprintConfiguration ProvisioningConfiguration": { + "LakeFormationConfiguration": "" + }, "AWS::DataZone::EnvironmentBlueprintConfiguration RegionalParameter": { "Parameters": "A string to string map containing parameters for the region.", "Region": "The region specified in the environment parameter." @@ -12718,11 +13091,40 @@ "GroupIdentifier": "The ID of the group of a project member.", "Status": "The status of a group profile." }, + "AWS::DataZone::Owner": { + "DomainIdentifier": "The ID of the domain in which you want to add the entity owner.", + "EntityIdentifier": "The ID of the entity to which you want to add an owner.", + "EntityType": "The type of an entity.", + "Owner": "The owner that you want to add to the entity." + }, + "AWS::DataZone::Owner OwnerGroupProperties": { + "GroupIdentifier": "The ID of the domain unit owners group." + }, + "AWS::DataZone::Owner OwnerProperties": { + "Group": "Specifies that the domain unit owner is a group.", + "User": "Specifies that the domain unit owner is a user." + }, + "AWS::DataZone::Owner OwnerUserProperties": { + "UserIdentifier": "The ID of the owner user." + }, "AWS::DataZone::Project": { "Description": "The description of a project.", "DomainIdentifier": "The identifier of a Amazon DataZone domain where the project exists.", + "DomainUnitId": "The ID of the domain unit. This parameter is not required and if it is not specified, then the project is created at the root domain unit level.", "GlossaryTerms": "The glossary terms that can be used in this Amazon DataZone project.", - "Name": "The name of a project." + "Name": "The name of a project.", + "ProjectProfileId": "", + "ProjectProfileVersion": "", + "UserParameters": "" + }, + "AWS::DataZone::Project EnvironmentConfigurationUserParameter": { + "EnvironmentConfigurationName": "", + "EnvironmentId": "", + "EnvironmentParameters": "" + }, + "AWS::DataZone::Project EnvironmentParameter": { + "Name": "", + "Value": "" }, "AWS::DataZone::ProjectMembership": { "Designation": "The designated role of a project member.", @@ -12734,6 +13136,13 @@ "GroupIdentifier": "The ID of the group of a project member.", "UserIdentifier": "The user ID of a project member." }, + "AWS::DataZone::ProjectProfile": { + "Description": "The description of the project profile.", + "DomainIdentifier": "", + "DomainUnitIdentifier": "", + "Name": "The name of a project profile.", + "Status": "The status of a project profile." + }, "AWS::DataZone::SubscriptionTarget": { "ApplicableAssetTypes": "The asset types included in the subscription target.", "AuthorizedPrincipals": "The authorized principals included in the subscription target.", @@ -12782,6 +13191,7 @@ "Description": "A description that helps identify what the fleet is used for.\n\n> This field can store any content. Escape or encode this content before displaying it on a webpage or any other system that might interpret the content of this field.", "DisplayName": "The display name of the fleet summary to update.\n\n> This field can store any content. Escape or encode this content before displaying it on a webpage or any other system that might interpret the content of this field.", "FarmId": "The farm ID.", + "HostConfiguration": "Provides a script that runs as a worker is starting up that you can use to provide additional configuration for workers in your fleet.\n\nTo remove a script from a fleet, use the [UpdateFleet](https://docs.aws.amazon.com/deadline-cloud/latest/APIReference/API_UpdateFleet.html) operation with the `hostConfiguration` `scriptBody` parameter set to an empty string (\"\").", "MaxWorkerCount": "The maximum number of workers specified in the fleet.", "MinWorkerCount": "The minimum number of workers in the fleet.", "RoleArn": "The IAM role that workers in the fleet use when processing jobs.", @@ -12806,6 +13216,7 @@ "AWS::Deadline::Fleet CustomerManagedFleetConfiguration": { "Mode": "The AWS Auto Scaling mode for the customer managed fleet configuration.", "StorageProfileId": "The storage profile ID.", + "TagPropagationMode": "Specifies whether tags associated with a fleet are attached to workers when the worker is launched.\n\nWhen the `tagPropagationMode` is set to `PROPAGATE_TAGS_TO_WORKERS_AT_LAUNCH` any tag associated with a fleet is attached to workers when they launch. If the tags for a fleet change, the tags associated with running workers *do not* change.\n\nIf you don't specify `tagPropagationMode` , the default is `NO_PROPAGATION` .", "WorkerCapabilities": "The worker capabilities for a customer managed fleet configuration." }, "AWS::Deadline::Fleet CustomerManagedWorkerCapabilities": { @@ -12841,13 +13252,18 @@ "CustomerManaged": "The customer managed fleets within a fleet configuration.", "ServiceManagedEc2": "The service managed Amazon EC2 instances for a fleet configuration." }, + "AWS::Deadline::Fleet HostConfiguration": { + "ScriptBody": "The text of the script that runs as a worker is starting up that you can use to provide additional configuration for workers in your fleet. The script runs after a worker enters the `STARTING` state and before the worker processes tasks.\n\nFor more information about using the script, see [Run scripts as an administrator to configure workers](https://docs.aws.amazon.com/deadline-cloud/latest/developerguide/smf-admin.html) in the *Deadline Cloud Developer Guide* .\n\n> The script runs as an administrative user ( `sudo root` on Linux, as an Administrator on Windows).", + "ScriptTimeoutSeconds": "The maximum time that the host configuration can run. If the timeout expires, the worker enters the `NOT RESPONDING` state and shuts down. You are charged for the time that the worker is running the host configuration script.\n\n> You should configure your fleet for a maximum of one worker while testing your host configuration script to avoid starting additional workers. \n\nThe default is 300 seconds (5 minutes)." + }, "AWS::Deadline::Fleet MemoryMiBRange": { "Max": "The maximum amount of memory (in MiB).", "Min": "The minimum amount of memory (in MiB)." }, "AWS::Deadline::Fleet ServiceManagedEc2FleetConfiguration": { "InstanceCapabilities": "The Amazon EC2 instance capabilities.", - "InstanceMarketOptions": "The Amazon EC2 market type." + "InstanceMarketOptions": "The Amazon EC2 market type.", + "StorageProfileId": "The storage profile ID." }, "AWS::Deadline::Fleet ServiceManagedEc2InstanceCapabilities": { "AcceleratorCapabilities": "Describes the GPU accelerator capabilities required for worker host instances in this fleet.", @@ -13131,7 +13547,7 @@ "DBSubnetGroupName": "A subnet group to associate with this cluster.\n\nConstraints: Must match the name of an existing `DBSubnetGroup` . Must not be default.\n\nExample: `mySubnetgroup`", "DeletionProtection": "Protects clusters from being accidentally deleted. If enabled, the cluster cannot be deleted unless it is modified and `DeletionProtection` is disabled.", "EnableCloudwatchLogsExports": "The list of log types that need to be enabled for exporting to Amazon CloudWatch Logs. You can enable audit logs or profiler logs. For more information, see [Auditing Amazon DocumentDB Events](https://docs.aws.amazon.com/documentdb/latest/developerguide/event-auditing.html) and [Profiling Amazon DocumentDB Operations](https://docs.aws.amazon.com/documentdb/latest/developerguide/profiling.html) .", - "EngineVersion": "The version number of the database engine to use. The `--engine-version` will default to the latest major engine version. For production workloads, we recommend explicitly declaring this parameter with the intended major engine version.\n\nChanging the `EngineVersion` will start an in-place engine version upgrade. Note that in-place engine version upgrade will cause downtime in the cluster. See [Amazon DocumentDB in-place major version upgrade](https://docs.aws.amazon.com/documentdb/latest/developerguide/docdb-mvu.html) before starting an in-place engine version upgrade.", + "EngineVersion": "The version number of the database engine to use. The `--engine-version` will default to the latest major engine version. For production workloads, we recommend explicitly declaring this parameter with the intended major engine version.\n\nIf you intend to trigger an in-place upgrade, please refer to [Amazon DocumentDB in-place major version upgrade](https://docs.aws.amazon.com/documentdb/latest/developerguide/docdb-mvu.html) . Note that for an in-place engine version upgrade, you need to remove other cluster properties changes (e.g. SecurityGroupId) from the CFN template.", "KmsKeyId": "The AWS KMS key identifier for an encrypted cluster.\n\nThe AWS KMS key identifier is the Amazon Resource Name (ARN) for the AWS KMS encryption key. If you are creating a cluster using the same AWS account that owns the AWS KMS encryption key that is used to encrypt the new cluster, you can use the AWS KMS key alias instead of the ARN for the AWS KMS encryption key.\n\nIf an encryption key is not specified in `KmsKeyId` :\n\n- If the `StorageEncrypted` parameter is `true` , Amazon DocumentDB uses your default encryption key.\n\nAWS KMS creates the default encryption key for your AWS account . Your AWS account has a different default encryption key for each AWS Regions .", "ManageMasterUserPassword": "Specifies whether to manage the master user password with Amazon Web Services Secrets Manager.\n\nConstraint: You can't manage the master user password with Amazon Web Services Secrets Manager if `MasterUserPassword` is specified.", "MasterUserPassword": "The password for the master database user. This password can contain any printable ASCII character except forward slash (/), double quote (\"), or the \"at\" symbol (@).\n\nConstraints: Must contain from 8 to 100 characters.", @@ -13387,9 +13803,9 @@ "ContributorInsightsSpecification": "The settings used to enable or disable CloudWatch Contributor Insights for the specified global secondary index.", "IndexName": "The name of the global secondary index. The name must be unique among all other indexes on this table.", "KeySchema": "The complete key schema for a global secondary index, which consists of one or more pairs of attribute names and key types:\n\n- `HASH` - partition key\n- `RANGE` - sort key\n\n> The partition key of an item is also known as its *hash attribute* . The term \"hash attribute\" derives from DynamoDB's usage of an internal hash function to evenly distribute data items across partitions, based on their partition key values.\n> \n> The sort key of an item is also known as its *range attribute* . The term \"range attribute\" derives from the way DynamoDB stores items with the same partition key physically close together, in sorted order by the sort key value.", - "OnDemandThroughput": "The maximum number of read and write units for the specified global secondary index. If you use this parameter, you must specify `MaxReadRequestUnits` , `MaxWriteRequestUnits` , or both.", + "OnDemandThroughput": "The maximum number of read and write units for the specified global secondary index. If you use this parameter, you must specify `MaxReadRequestUnits` , `MaxWriteRequestUnits` , or both. You must use either `OnDemandThroughput` or `ProvisionedThroughput` based on your table's capacity mode.", "Projection": "Represents attributes that are copied (projected) from the table into the global secondary index. These are in addition to the primary key attributes and index key attributes, which are automatically projected.", - "ProvisionedThroughput": "Represents the provisioned throughput settings for the specified global secondary index.\n\nFor current minimum and maximum provisioned throughput values, see [Service, Account, and Table Quotas](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Limits.html) in the *Amazon DynamoDB Developer Guide* .", + "ProvisionedThroughput": "Represents the provisioned throughput settings for the specified global secondary index. You must use either `OnDemandThroughput` or `ProvisionedThroughput` based on your table's capacity mode.\n\nFor current minimum and maximum provisioned throughput values, see [Service, Account, and Table Quotas](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Limits.html) in the *Amazon DynamoDB Developer Guide* .", "WarmThroughput": "Represents the warm throughput value (in read units per second and write units per second) for the specified secondary index. If you use this parameter, you must specify `ReadUnitsPerSecond` , `WriteUnitsPerSecond` , or both." }, "AWS::DynamoDB::Table ImportSourceSpecification": { @@ -13540,9 +13956,10 @@ "ClientCidrBlock": "The IPv4 address range, in CIDR notation, from which to assign client IP addresses. The address range cannot overlap with the local CIDR of the VPC in which the associated subnet is located, or the routes that you add manually. The address range cannot be changed after the Client VPN endpoint has been created. Client CIDR range must have a size of at least /22 and must not be greater than /12.", "ClientConnectOptions": "The options for managing connection authorization for new client connections.", "ClientLoginBannerOptions": "Options for enabling a customizable text banner that will be displayed on AWS provided clients when a VPN session is established.", + "ClientRouteEnforcementOptions": "Client route enforcement is a feature of the Client VPN service that helps enforce administrator defined routes on devices connected through the VPN. T his feature helps improve your security posture by ensuring that network traffic originating from a connected client is not inadvertently sent outside the VPN tunnel.\n\nClient route enforcement works by monitoring the route table of a connected device for routing policy changes to the VPN connection. If the feature detects any VPN routing policy modifications, it will automatically force an update to the route table, reverting it back to the expected route configurations.", "ConnectionLogOptions": "Information about the client connection logging options.\n\nIf you enable client connection logging, data about client connections is sent to a Cloudwatch Logs log stream. The following information is logged:\n\n- Client connection requests\n- Client connection results (successful and unsuccessful)\n- Reasons for unsuccessful client connection requests\n- Client connection termination time", "Description": "A brief description of the Client VPN endpoint.", - "DisconnectOnSessionTimeout": "Indicates whether the client VPN session is disconnected after the maximum `sessionTimeoutHours` is reached. If `true` , users are prompted to reconnect client VPN. If `false` , client VPN attempts to reconnect automatically. The default value is `false` .", + "DisconnectOnSessionTimeout": "Indicates whether the client VPN session is disconnected after the maximum `sessionTimeoutHours` is reached. If `true` , users are prompted to reconnect client VPN. If `false` , client VPN attempts to reconnect automatically. The default value is `true` .", "DnsServers": "Information about the DNS servers to be used for DNS resolution. A Client VPN endpoint can have up to two DNS servers. If no DNS server is specified, the DNS address configured on the device is used for the DNS server.", "SecurityGroupIds": "The IDs of one or more security groups to apply to the target network. You must also specify the ID of the VPC that contains the security groups.", "SelfServicePortal": "Specify whether to enable the self-service portal for the Client VPN endpoint.\n\nDefault Value: `enabled`", @@ -13571,6 +13988,9 @@ "BannerText": "Customizable text that will be displayed in a banner on AWS provided clients when a VPN session is established. UTF-8 encoded characters only. Maximum of 1400 characters.", "Enabled": "Enable or disable a customizable text banner that will be displayed on AWS provided clients when a VPN session is established.\n\nValid values: `true | false`\n\nDefault value: `false`" }, + "AWS::EC2::ClientVpnEndpoint ClientRouteEnforcementOptions": { + "Enforced": "Enable or disable Client Route Enforcement. The state can either be `true` (enabled) or `false` (disabled). The default is `false` .\n\nValid values: `true | false`\n\nDefault value: `false`" + }, "AWS::EC2::ClientVpnEndpoint ConnectionLogOptions": { "CloudwatchLogGroup": "The name of the CloudWatch Logs log group. Required if connection logging is enabled.", "CloudwatchLogStream": "The name of the CloudWatch Logs log stream to which the connection data is published.", @@ -13656,6 +14076,12 @@ "AWS::EC2::EC2Fleet BaselinePerformanceFactorsRequest": { "Cpu": "The CPU performance to consider, using an instance family as the baseline reference." }, + "AWS::EC2::EC2Fleet BlockDeviceMapping": { + "DeviceName": "The device name (for example, `/dev/sdh` or `xvdh` ).", + "Ebs": "Parameters used to automatically set up EBS volumes when the instance is launched.", + "NoDevice": "To omit the device from the block device mapping, specify an empty string. When this property is specified, the device is removed from the block device mapping regardless of the assigned value.", + "VirtualName": "The virtual device name ( `ephemeral` N). Instance store volumes are numbered starting from 0. An instance type with 2 available instance store volumes can specify mappings for `ephemeral0` and `ephemeral1` . The number of available instance store volumes depends on the instance type. After you connect to the instance, you must mount the volume.\n\nNVMe instance store volumes are automatically enumerated and assigned a device name. Including them in your block device mapping has no effect.\n\nConstraints: For M3 instances, you must specify instance store volumes in the block device mapping for the instance. When you launch an M3 instance, we ignore any instance store volumes specified in the block device mapping for the AMI." + }, "AWS::EC2::EC2Fleet CapacityRebalance": { "ReplacementStrategy": "The replacement strategy to use. Only available for fleets of type `maintain` .\n\n`launch` - EC2 Fleet launches a replacement Spot Instance when a rebalance notification is emitted for an existing Spot Instance in the fleet. EC2 Fleet does not terminate the instances that receive a rebalance notification. You can terminate the old instances, or you can leave them running. You are charged for all instances while they are running.\n\n`launch-before-terminate` - EC2 Fleet launches a replacement Spot Instance when a rebalance notification is emitted for an existing Spot Instance in the fleet, and then, after a delay that you specify (in `TerminationDelay` ), terminates the instances that received a rebalance notification.", "TerminationDelay": "The amount of time (in seconds) that Amazon EC2 waits before terminating the old Spot Instance after launching a new replacement Spot Instance.\n\nRequired when `ReplacementStrategy` is set to `launch-before-terminate` .\n\nNot valid when `ReplacementStrategy` is set to `launch` .\n\nValid values: Minimum value of `120` seconds. Maximum value of `7200` seconds." @@ -13666,12 +14092,22 @@ "AWS::EC2::EC2Fleet CpuPerformanceFactorRequest": { "References": "Specify an instance family to use as the baseline reference for CPU performance. All instance types that match your specified attributes will be compared against the CPU performance of the referenced instance family, regardless of CPU manufacturer or architecture differences.\n\n> Currently, only one instance family can be specified in the list." }, + "AWS::EC2::EC2Fleet EbsBlockDevice": { + "DeleteOnTermination": "Indicates whether the EBS volume is deleted on instance termination. For more information, see [Preserving Amazon EBS volumes on instance termination](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/terminating-instances.html#preserving-volumes-on-termination) in the *Amazon EC2 User Guide* .", + "Encrypted": "Indicates whether the encryption state of an EBS volume is changed while being restored from a backing snapshot. The effect of setting the encryption state to `true` depends on the volume origin (new or from a snapshot), starting encryption state, ownership, and whether encryption by default is enabled. For more information, see [Amazon EBS encryption](https://docs.aws.amazon.com/ebs/latest/userguide/ebs-encryption.html#encryption-parameters) in the *Amazon EBS User Guide* .\n\nIn no case can you remove encryption from an encrypted volume.\n\nEncrypted volumes can only be attached to instances that support Amazon EBS encryption. For more information, see [Supported instance types](https://docs.aws.amazon.com/ebs/latest/userguide/ebs-encryption-requirements.html#ebs-encryption_supported_instances) .\n\nThis parameter is not returned by `DescribeImageAttribute` .\n\nFor `CreateImage` and `RegisterImage` , whether you can include this parameter, and the allowed values differ depending on the type of block device mapping you are creating.\n\n- If you are creating a block device mapping for a *new (empty) volume* , you can include this parameter, and specify either `true` for an encrypted volume, or `false` for an unencrypted volume. If you omit this parameter, it defaults to `false` (unencrypted).\n- If you are creating a block device mapping from an *existing encrypted or unencrypted snapshot* , you must omit this parameter. If you include this parameter, the request will fail, regardless of the value that you specify.\n- If you are creating a block device mapping from an *existing unencrypted volume* , you can include this parameter, but you must specify `false` . If you specify `true` , the request will fail. In this case, we recommend that you omit the parameter.\n- If you are creating a block device mapping from an *existing encrypted volume* , you can include this parameter, and specify either `true` or `false` . However, if you specify `false` , the parameter is ignored and the block device mapping is always encrypted. In this case, we recommend that you omit the parameter.", + "Iops": "The number of I/O operations per second (IOPS). For `gp3` , `io1` , and `io2` volumes, this represents the number of IOPS that are provisioned for the volume. For `gp2` volumes, this represents the baseline performance of the volume and the rate at which the volume accumulates I/O credits for bursting.\n\nThe following are the supported values for each volume type:\n\n- `gp3` : 3,000 - 16,000 IOPS\n- `io1` : 100 - 64,000 IOPS\n- `io2` : 100 - 256,000 IOPS\n\nFor `io2` volumes, you can achieve up to 256,000 IOPS on [instances built on the Nitro System](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances) . On other instances, you can achieve performance up to 32,000 IOPS.\n\nThis parameter is required for `io1` and `io2` volumes. The default for `gp3` volumes is 3,000 IOPS.", + "KmsKeyId": "Identifier (key ID, key alias, key ARN, or alias ARN) of the customer managed KMS key to use for EBS encryption.\n\nThis parameter is only supported on `BlockDeviceMapping` objects called by [RunInstances](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RunInstances.html) , [RequestSpotFleet](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RequestSpotFleet.html) , and [RequestSpotInstances](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RequestSpotInstances.html) .", + "SnapshotId": "The ID of the snapshot.", + "VolumeSize": "The size of the volume, in GiBs. You must specify either a snapshot ID or a volume size. If you specify a snapshot, the default is the snapshot size. You can specify a volume size that is equal to or larger than the snapshot size.\n\nThe following are the supported sizes for each volume type:\n\n- `gp2` and `gp3` : 1 - 16,384 GiB\n- `io1` : 4 - 16,384 GiB\n- `io2` : 4 - 65,536 GiB\n- `st1` and `sc1` : 125 - 16,384 GiB\n- `standard` : 1 - 1024 GiB", + "VolumeType": "The volume type. For more information, see [Amazon EBS volume types](https://docs.aws.amazon.com/ebs/latest/userguide/ebs-volume-types.html) in the *Amazon EBS User Guide* ." + }, "AWS::EC2::EC2Fleet FleetLaunchTemplateConfigRequest": { "LaunchTemplateSpecification": "The launch template to use. You must specify either the launch template ID or launch template name in the request.", "Overrides": "Any parameters that you specify override the same parameters in the launch template.\n\nFor fleets of type `request` and `maintain` , a maximum of 300 items is allowed across all launch templates." }, "AWS::EC2::EC2Fleet FleetLaunchTemplateOverridesRequest": { "AvailabilityZone": "The Availability Zone in which to launch the instances.", + "BlockDeviceMappings": "The block device mappings, which define the EBS volumes and instance store volumes to attach to the instance at launch.\n\nSupported only for fleets of type `instant` .\n\nFor more information, see [Block device mappings for volumes on Amazon EC2 instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/block-device-mapping-concepts.html) in the *Amazon EC2 User Guide* .", "InstanceRequirements": "The attributes for the instance types. When you specify instance attributes, Amazon EC2 will identify instance types with those attributes.\n\n> If you specify `InstanceRequirements` , you can't specify `InstanceType` .", "InstanceType": "The instance type.\n\n`mac1.metal` is not supported as a launch template override.\n\n> If you specify `InstanceType` , you can't specify `InstanceRequirements` .", "MaxPrice": "The maximum price per unit hour that you are willing to pay for a Spot Instance. We do not recommend using this parameter because it can lead to increased interruptions. If you do not specify this parameter, you will pay the current Spot price.\n\n> If you specify a maximum price, your instances will be interrupted more frequently than if you do not specify this parameter.\n> \n> If you specify a maximum price, it must be more than USD $0.001. Specifying a value below USD $0.001 will result in an `InvalidParameterValue` error message.", @@ -13690,7 +14126,7 @@ "AcceleratorManufacturers": "Indicates whether instance types must have accelerators by specific manufacturers.\n\n- For instance types with AWS devices, specify `amazon-web-services` .\n- For instance types with AMD devices, specify `amd` .\n- For instance types with Habana devices, specify `habana` .\n- For instance types with NVIDIA devices, specify `nvidia` .\n- For instance types with Xilinx devices, specify `xilinx` .\n\nDefault: Any manufacturer", "AcceleratorNames": "The accelerators that must be on the instance type.\n\n- For instance types with NVIDIA A10G GPUs, specify `a10g` .\n- For instance types with NVIDIA A100 GPUs, specify `a100` .\n- For instance types with NVIDIA H100 GPUs, specify `h100` .\n- For instance types with AWS Inferentia chips, specify `inferentia` .\n- For instance types with NVIDIA GRID K520 GPUs, specify `k520` .\n- For instance types with NVIDIA K80 GPUs, specify `k80` .\n- For instance types with NVIDIA M60 GPUs, specify `m60` .\n- For instance types with AMD Radeon Pro V520 GPUs, specify `radeon-pro-v520` .\n- For instance types with NVIDIA T4 GPUs, specify `t4` .\n- For instance types with NVIDIA T4G GPUs, specify `t4g` .\n- For instance types with Xilinx VU9P FPGAs, specify `vu9p` .\n- For instance types with NVIDIA V100 GPUs, specify `v100` .\n\nDefault: Any accelerator", "AcceleratorTotalMemoryMiB": "The minimum and maximum amount of total accelerator memory, in MiB.\n\nDefault: No minimum or maximum limits", - "AcceleratorTypes": "The accelerator types that must be on the instance type.\n\n- For instance types with FPGA accelerators, specify `fpga` .\n- For instance types with GPU accelerators, specify `gpu` .\n\nDefault: Any accelerator type", + "AcceleratorTypes": "The accelerator types that must be on the instance type.\n\n- For instance types with FPGA accelerators, specify `fpga` .\n- For instance types with GPU accelerators, specify `gpu` .\n- For instance types with Inference accelerators, specify `inference` .\n\nDefault: Any accelerator type", "AllowedInstanceTypes": "The instance types to apply your specified attributes against. All other instance types are ignored, even if they match your specified attributes.\n\nYou can use strings with one or more wild cards, represented by an asterisk ( `*` ), to allow an instance type, size, or generation. The following are examples: `m5.8xlarge` , `c5*.*` , `m5a.*` , `r*` , `*3*` .\n\nFor example, if you specify `c5*` ,Amazon EC2 will allow the entire C5 instance family, which includes all C5a and C5n instance types. If you specify `m5a.*` , Amazon EC2 will allow all the M5a instance types, but not the M5n instance types.\n\n> If you specify `AllowedInstanceTypes` , you can't specify `ExcludedInstanceTypes` . \n\nDefault: All instance types", "BareMetal": "Indicates whether bare metal instance types must be included, excluded, or required.\n\n- To include bare metal instance types, specify `included` .\n- To require only bare metal instance types, specify `required` .\n- To exclude bare metal instance types, specify `excluded` .\n\nDefault: `excluded`", "BaselineEbsBandwidthMbps": "The minimum and maximum baseline bandwidth to Amazon EBS, in Mbps. For more information, see [Amazon EBS\u2013optimized instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-optimized.html) in the *Amazon EC2 User Guide* .\n\nDefault: No minimum or maximum limits", @@ -13847,12 +14283,18 @@ "HostRecovery": "Indicates whether to enable or disable host recovery for the Dedicated Host. Host recovery is disabled by default. For more information, see [Host recovery](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/dedicated-hosts-recovery.html) in the *Amazon EC2 User Guide* .\n\nDefault: `off`", "InstanceFamily": "The instance family supported by the Dedicated Host. For example, `m5` .", "InstanceType": "Specifies the instance type to be supported by the Dedicated Hosts. If you specify an instance type, the Dedicated Hosts support instances of the specified instance type only.", - "OutpostArn": "The Amazon Resource Name (ARN) of the AWS Outpost on which the Dedicated Host is allocated." + "OutpostArn": "The Amazon Resource Name (ARN) of the AWS Outpost on which the Dedicated Host is allocated.", + "Tags": "Any tags assigned to the Dedicated Host." + }, + "AWS::EC2::Host Tag": { + "Key": "The key of the tag.\n\nConstraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with `aws:` .", + "Value": "The value of the tag.\n\nConstraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters." }, "AWS::EC2::IPAM": { "DefaultResourceDiscoveryOrganizationalUnitExclusions": "If your IPAM is integrated with AWS Organizations, you can exclude an [organizational unit (OU)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#organizationalunit) from being managed by IPAM. When you exclude an OU, IPAM will not manage the IP addresses in accounts in that OU. For more information, see [Exclude organizational units from IPAM](https://docs.aws.amazon.com/vpc/latest/ipam/exclude-ous.html) in the *Amazon Virtual Private Cloud IP Address Manager User Guide* .", "Description": "The description for the IPAM.", "EnablePrivateGua": "Enable this option to use your own GUA ranges as private IPv6 addresses. This option is disabled by default.", + "MeteredAccount": "", "OperatingRegions": "The operating Regions for an IPAM. Operating Regions are AWS Regions where the IPAM is allowed to manage IP address CIDRs. IPAM only discovers and monitors resources in the AWS Regions you select as operating Regions.\n\nFor more information about operating Regions, see [Create an IPAM](https://docs.aws.amazon.com//vpc/latest/ipam/create-ipam.html) in the *Amazon VPC IPAM User Guide* .", "Tags": "The key/value combination of a tag assigned to the resource. Use the tag key in the filter name and the tag value as the filter value. For example, to find all resources that have a tag with the key `Owner` and the value `TeamA` , specify `tag:Owner` for the filter name and `TeamA` for the filter value.", "Tier": "IPAM is offered in a Free Tier and an Advanced Tier. For more information about the features available in each tier and the costs associated with the tiers, see the [VPC IPAM product pricing page](https://docs.aws.amazon.com//vpc/pricing/) ." @@ -13968,6 +14410,7 @@ "KeyName": "The name of the key pair. You can create a key pair using [CreateKeyPair](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateKeyPair.html) or [ImportKeyPair](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ImportKeyPair.html) .\n\n> If you do not specify a key pair, you can't connect to the instance unless you choose an AMI that is configured to allow users another way to log in.", "LaunchTemplate": "The launch template. Any additional parameters that you specify for the new instance overwrite the corresponding parameters included in the launch template.", "LicenseSpecifications": "The license configurations.", + "MetadataOptions": "The metadata options for the instance.", "Monitoring": "Specifies whether detailed monitoring is enabled for the instance. Specify `true` to enable detailed monitoring. Otherwise, basic monitoring is enabled. For more information about detailed monitoring, see [Enable or turn off detailed monitoring for your instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-cloudwatch-new.html) in the *Amazon EC2 User Guide* .", "NetworkInterfaces": "The network interfaces to associate with the instance.\n\n> If you use this property to point to a network interface, you must terminate the original interface before attaching a new one to allow the update of the instance to succeed.\n> \n> If this resource has a public IP address and is also in a VPC that is defined in the same template, you must use the [DependsOn Attribute](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-dependson.html) to declare a dependency on the VPC-gateway attachment.", "PlacementGroupName": "The name of an existing placement group that you want to launch the instance into (cluster | partition | spread).", @@ -14042,6 +14485,13 @@ "AWS::EC2::Instance LicenseSpecification": { "LicenseConfigurationArn": "The Amazon Resource Name (ARN) of the license configuration." }, + "AWS::EC2::Instance MetadataOptions": { + "HttpEndpoint": "Enables or disables the HTTP metadata endpoint on your instances.\n\nIf you specify a value of `disabled` , you cannot access your instance metadata.\n\nDefault: `enabled`", + "HttpProtocolIpv6": "Enables or disables the IPv6 endpoint for the instance metadata service.\n\nDefault: `disabled`", + "HttpPutResponseHopLimit": "The maximum number of hops that the metadata token can travel.\n\nPossible values: Integers from 1 to 64", + "HttpTokens": "Indicates whether IMDSv2 is required.\n\n- `optional` - IMDSv2 is optional, which means that you can use either IMDSv2 or IMDSv1.\n- `required` - IMDSv2 is required, which means that IMDSv1 is disabled, and you must use IMDSv2.\n\nDefault:\n\n- If the value of `ImdsSupport` for the Amazon Machine Image (AMI) for your instance is `v2.0` and the account level default is set to `no-preference` , the default is `required` .\n- If the value of `ImdsSupport` for the Amazon Machine Image (AMI) for your instance is `v2.0` , but the account level default is set to `V1 or V2` , the default is `optional` .\n\nThe default value can also be affected by other combinations of parameters. For more information, see [Order of precedence for instance metadata options](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-options.html#instance-metadata-options-order-of-precedence) in the *Amazon EC2 User Guide* .", + "InstanceMetadataTags": "Set to `enabled` to allow access to instance tags from the instance metadata. Set to `disabled` to turn off access to instance tags from the instance metadata. For more information, see [Work with instance tags using the instance metadata](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#work-with-tags-in-IMDS) .\n\nDefault: `disabled`" + }, "AWS::EC2::Instance NetworkInterface": { "AssociateCarrierIpAddress": "Indicates whether to assign a carrier IP address to the network interface.\n\nYou can only assign a carrier IP address to a network interface that is in a subnet in a Wavelength Zone. For more information about carrier IP addresses, see [Carrier IP address](https://docs.aws.amazon.com/wavelength/latest/developerguide/how-wavelengths-work.html#provider-owned-ip) in the *AWS Wavelength Developer Guide* .", "AssociatePublicIpAddress": "Indicates whether to assign a public IPv4 address to an instance. Applies only if creating a network interface when launching an instance. The network interface must be the primary network interface. If launching into a default subnet, the default value is `true` .\n\nAWS charges for all public IPv4 addresses, including public IPv4 addresses associated with running instances and Elastic IP addresses. For more information, see the *Public IPv4 Address* tab on the [VPC pricing page](https://docs.aws.amazon.com/vpc/pricing/) .", @@ -14170,6 +14620,7 @@ "KmsKeyId": "Identifier (key ID, key alias, key ARN, or alias ARN) of the customer managed KMS key to use for EBS encryption.", "SnapshotId": "The ID of the snapshot.", "Throughput": "The throughput to provision for a `gp3` volume, with a maximum of 1,000 MiB/s.\n\nValid Range: Minimum value of 125. Maximum value of 1000.", + "VolumeInitializationRate": "Specifies the Amazon EBS Provisioned Rate for Volume Initialization (volume initialization rate), in MiB/s, at which to download the snapshot blocks from Amazon S3 to the volume. This is also known as *volume initialization* . Specifying a volume initialization rate ensures that the volume is initialized at a predictable and consistent rate after creation.\n\nThis parameter is supported only for volumes created from snapshots. Omit this parameter if:\n\n- You want to create the volume using fast snapshot restore. You must specify a snapshot that is enabled for fast snapshot restore. In this case, the volume is fully initialized at creation.\n\n> If you specify a snapshot that is enabled for fast snapshot restore and a volume initialization rate, the volume will be initialized at the specified rate instead of fast snapshot restore.\n- You want to create a volume that is initialized at the default rate.\n\nFor more information, see [Initialize Amazon EBS volumes](https://docs.aws.amazon.com/ebs/latest/userguide/initalize-volume.html) in the *Amazon EC2 User Guide* .\n\nValid range: 100 - 300 MiB/s", "VolumeSize": "The size of the volume, in GiBs. You must specify either a snapshot ID or a volume size. The following are the supported volumes sizes for each volume type:\n\n- `gp2` and `gp3` : 1 - 16,384 GiB\n- `io1` : 4 - 16,384 GiB\n- `io2` : 4 - 65,536 GiB\n- `st1` and `sc1` : 125 - 16,384 GiB\n- `standard` : 1 - 1024 GiB", "VolumeType": "The volume type. For more information, see [Amazon EBS volume types](https://docs.aws.amazon.com/ebs/latest/userguide/ebs-volume-types.html) in the *Amazon EBS User Guide* ." }, @@ -14202,7 +14653,7 @@ "AcceleratorManufacturers": "Indicates whether instance types must have accelerators by specific manufacturers.\n\n- For instance types with AWS devices, specify `amazon-web-services` .\n- For instance types with AMD devices, specify `amd` .\n- For instance types with Habana devices, specify `habana` .\n- For instance types with NVIDIA devices, specify `nvidia` .\n- For instance types with Xilinx devices, specify `xilinx` .\n\nDefault: Any manufacturer", "AcceleratorNames": "The accelerators that must be on the instance type.\n\n- For instance types with NVIDIA A10G GPUs, specify `a10g` .\n- For instance types with NVIDIA A100 GPUs, specify `a100` .\n- For instance types with NVIDIA H100 GPUs, specify `h100` .\n- For instance types with AWS Inferentia chips, specify `inferentia` .\n- For instance types with NVIDIA GRID K520 GPUs, specify `k520` .\n- For instance types with NVIDIA K80 GPUs, specify `k80` .\n- For instance types with NVIDIA M60 GPUs, specify `m60` .\n- For instance types with AMD Radeon Pro V520 GPUs, specify `radeon-pro-v520` .\n- For instance types with NVIDIA T4 GPUs, specify `t4` .\n- For instance types with NVIDIA T4G GPUs, specify `t4g` .\n- For instance types with Xilinx VU9P FPGAs, specify `vu9p` .\n- For instance types with NVIDIA V100 GPUs, specify `v100` .\n\nDefault: Any accelerator", "AcceleratorTotalMemoryMiB": "The minimum and maximum amount of total accelerator memory, in MiB.\n\nDefault: No minimum or maximum limits", - "AcceleratorTypes": "The accelerator types that must be on the instance type.\n\n- For instance types with FPGA accelerators, specify `fpga` .\n- For instance types with GPU accelerators, specify `gpu` .\n\nDefault: Any accelerator type", + "AcceleratorTypes": "The accelerator types that must be on the instance type.\n\n- For instance types with FPGA accelerators, specify `fpga` .\n- For instance types with GPU accelerators, specify `gpu` .\n- For instance types with Inference accelerators, specify `inference` .\n\nDefault: Any accelerator type", "AllowedInstanceTypes": "The instance types to apply your specified attributes against. All other instance types are ignored, even if they match your specified attributes.\n\nYou can use strings with one or more wild cards, represented by an asterisk ( `*` ), to allow an instance type, size, or generation. The following are examples: `m5.8xlarge` , `c5*.*` , `m5a.*` , `r*` , `*3*` .\n\nFor example, if you specify `c5*` ,Amazon EC2 will allow the entire C5 instance family, which includes all C5a and C5n instance types. If you specify `m5a.*` , Amazon EC2 will allow all the M5a instance types, but not the M5n instance types.\n\n> If you specify `AllowedInstanceTypes` , you can't specify `ExcludedInstanceTypes` . \n\nDefault: All instance types", "BareMetal": "Indicates whether bare metal instance types must be included, excluded, or required.\n\n- To include bare metal instance types, specify `included` .\n- To require only bare metal instance types, specify `required` .\n- To exclude bare metal instance types, specify `excluded` .\n\nDefault: `excluded`", "BaselineEbsBandwidthMbps": "The minimum and maximum baseline bandwidth to Amazon EBS, in Mbps. For more information, see [Amazon EBS\u2013optimized instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-optimized.html) in the *Amazon EC2 User Guide* .\n\nDefault: No minimum or maximum limits", @@ -14500,6 +14951,7 @@ "AWS::EC2::NetworkInsightsAnalysis": { "AdditionalAccounts": "The member accounts that contain resources that the path can traverse.", "FilterInArns": "The Amazon Resource Names (ARN) of the resources that the path must traverse.", + "FilterOutArns": "The Amazon Resource Names (ARN) of the resources that the path must ignore.", "NetworkInsightsPathId": "The ID of the path.", "Tags": "The tags to apply." }, @@ -14974,7 +15426,7 @@ "AcceleratorManufacturers": "Indicates whether instance types must have accelerators by specific manufacturers.\n\n- For instance types with AWS devices, specify `amazon-web-services` .\n- For instance types with AMD devices, specify `amd` .\n- For instance types with Habana devices, specify `habana` .\n- For instance types with NVIDIA devices, specify `nvidia` .\n- For instance types with Xilinx devices, specify `xilinx` .\n\nDefault: Any manufacturer", "AcceleratorNames": "The accelerators that must be on the instance type.\n\n- For instance types with NVIDIA A10G GPUs, specify `a10g` .\n- For instance types with NVIDIA A100 GPUs, specify `a100` .\n- For instance types with NVIDIA H100 GPUs, specify `h100` .\n- For instance types with AWS Inferentia chips, specify `inferentia` .\n- For instance types with NVIDIA GRID K520 GPUs, specify `k520` .\n- For instance types with NVIDIA K80 GPUs, specify `k80` .\n- For instance types with NVIDIA M60 GPUs, specify `m60` .\n- For instance types with AMD Radeon Pro V520 GPUs, specify `radeon-pro-v520` .\n- For instance types with NVIDIA T4 GPUs, specify `t4` .\n- For instance types with NVIDIA T4G GPUs, specify `t4g` .\n- For instance types with Xilinx VU9P FPGAs, specify `vu9p` .\n- For instance types with NVIDIA V100 GPUs, specify `v100` .\n\nDefault: Any accelerator", "AcceleratorTotalMemoryMiB": "The minimum and maximum amount of total accelerator memory, in MiB.\n\nDefault: No minimum or maximum limits", - "AcceleratorTypes": "The accelerator types that must be on the instance type.\n\n- For instance types with FPGA accelerators, specify `fpga` .\n- For instance types with GPU accelerators, specify `gpu` .\n\nDefault: Any accelerator type", + "AcceleratorTypes": "The accelerator types that must be on the instance type.\n\n- For instance types with FPGA accelerators, specify `fpga` .\n- For instance types with GPU accelerators, specify `gpu` .\n- For instance types with Inference accelerators, specify `inference` .\n\nDefault: Any accelerator type", "AllowedInstanceTypes": "The instance types to apply your specified attributes against. All other instance types are ignored, even if they match your specified attributes.\n\nYou can use strings with one or more wild cards, represented by an asterisk ( `*` ), to allow an instance type, size, or generation. The following are examples: `m5.8xlarge` , `c5*.*` , `m5a.*` , `r*` , `*3*` .\n\nFor example, if you specify `c5*` ,Amazon EC2 will allow the entire C5 instance family, which includes all C5a and C5n instance types. If you specify `m5a.*` , Amazon EC2 will allow all the M5a instance types, but not the M5n instance types.\n\n> If you specify `AllowedInstanceTypes` , you can't specify `ExcludedInstanceTypes` . \n\nDefault: All instance types", "BareMetal": "Indicates whether bare metal instance types must be included, excluded, or required.\n\n- To include bare metal instance types, specify `included` .\n- To require only bare metal instance types, specify `required` .\n- To exclude bare metal instance types, specify `excluded` .\n\nDefault: `excluded`", "BaselineEbsBandwidthMbps": "The minimum and maximum baseline bandwidth to Amazon EBS, in Mbps. For more information, see [Amazon EBS\u2013optimized instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-optimized.html) in the *Amazon EC2 User Guide* .\n\nDefault: No minimum or maximum limits", @@ -15219,8 +15671,8 @@ "AmazonSideAsn": "A private Autonomous System Number (ASN) for the Amazon side of a BGP session. The range is 64512 to 65534 for 16-bit ASNs. The default is 64512.", "AssociationDefaultRouteTableId": "The ID of the default association route table.", "AutoAcceptSharedAttachments": "Enable or disable automatic acceptance of attachment requests. Disabled by default.", - "DefaultRouteTableAssociation": "Enable or disable automatic association with the default association route table. Enabled by default.", - "DefaultRouteTablePropagation": "Enable or disable automatic propagation of routes to the default propagation route table. Enabled by default.", + "DefaultRouteTableAssociation": "Enable or disable automatic association with the default association route table. Enabled by default. If `DefaultRouteTableAssociation` is set to enable, AWS Transit Gateway will create the default transit gateway route table.", + "DefaultRouteTablePropagation": "Enable or disable automatic propagation of routes to the default propagation route table. Enabled by default. If `DefaultRouteTablePropagation` is set to enable, AWS Transit Gateway will create the default transit gateway route table.", "Description": "The description of the transit gateway.", "DnsSupport": "Enable or disable DNS support. Enabled by default.", "MulticastSupport": "Indicates whether multicast is enabled on the transit gateway", @@ -15294,8 +15746,8 @@ }, "AWS::EC2::TransitGatewayPeeringAttachment": { "PeerAccountId": "The ID of the AWS account that owns the transit gateway.", - "PeerRegion": "The Region of the transit gateway.", - "PeerTransitGatewayId": "The ID of the transit gateway.", + "PeerRegion": "The Region where the transit gateway that you want to create the peer for is located.", + "PeerTransitGatewayId": "The ID of the transit gateway in the PeerRegion.", "Tags": "The tags for the transit gateway peering attachment.", "TransitGatewayId": "The ID of the transit gateway peering attachment." }, @@ -15714,6 +16166,7 @@ "SnapshotId": "The snapshot from which to create the volume. You must specify either a snapshot ID or a volume size.", "Tags": "The tags to apply to the volume during creation.", "Throughput": "The throughput to provision for a volume, with a maximum of 1,000 MiB/s.\n\nThis parameter is valid only for `gp3` volumes. The default value is 125.\n\nValid Range: Minimum value of 125. Maximum value of 1000.", + "VolumeInitializationRate": "Specifies the Amazon EBS Provisioned Rate for Volume Initialization (volume initialization rate), in MiB/s, at which to download the snapshot blocks from Amazon S3 to the volume. This is also known as *volume initialization* . Specifying a volume initialization rate ensures that the volume is initialized at a predictable and consistent rate after creation.\n\nThis parameter is supported only for volumes created from snapshots. Omit this parameter if:\n\n- You want to create the volume using fast snapshot restore. You must specify a snapshot that is enabled for fast snapshot restore. In this case, the volume is fully initialized at creation.\n\n> If you specify a snapshot that is enabled for fast snapshot restore and a volume initialization rate, the volume will be initialized at the specified rate instead of fast snapshot restore.\n- You want to create a volume that is initialized at the default rate.\n\nFor more information, see [Initialize Amazon EBS volumes](https://docs.aws.amazon.com/ebs/latest/userguide/initalize-volume.html) in the *Amazon EC2 User Guide* .\n\nValid range: 100 - 300 MiB/s", "VolumeType": "The volume type. This parameter can be one of the following values:\n\n- General Purpose SSD: `gp2` | `gp3`\n- Provisioned IOPS SSD: `io1` | `io2`\n- Throughput Optimized HDD: `st1`\n- Cold HDD: `sc1`\n- Magnetic: `standard`\n\nFor more information, see [Amazon EBS volume types](https://docs.aws.amazon.com/ebs/latest/userguide/ebs-volume-types.html) .\n\nDefault: `gp2`" }, "AWS::EC2::Volume Tag": { @@ -15753,6 +16206,18 @@ "AWS::ECR::RegistryPolicy": { "PolicyText": "The JSON policy text for your registry." }, + "AWS::ECR::RegistryScanningConfiguration": { + "Rules": "The scanning rules associated with the registry.", + "ScanType": "The type of scanning configured for the registry." + }, + "AWS::ECR::RegistryScanningConfiguration RepositoryFilter": { + "Filter": "The filter to use when scanning.", + "FilterType": "The type associated with the filter." + }, + "AWS::ECR::RegistryScanningConfiguration ScanningRule": { + "RepositoryFilters": "The details of a scanning repository filter. For more information on how to use filters, see [Using filters](https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html#image-scanning-filters) in the *Amazon Elastic Container Registry User Guide* .", + "ScanFrequency": "The frequency that scans are performed at for a private registry. When the `ENHANCED` scan type is specified, the supported scan frequencies are `CONTINUOUS_SCAN` and `SCAN_ON_PUSH` . When the `BASIC` scan type is specified, the `SCAN_ON_PUSH` scan frequency is supported. If scan on push is not specified, then the `MANUAL` scan frequency is set by default." + }, "AWS::ECR::ReplicationConfiguration": { "ReplicationConfiguration": "The replication configuration for a registry." }, @@ -15872,8 +16337,8 @@ "S3KeyPrefix": "An optional folder in the S3 bucket to place logs in." }, "AWS::ECS::Cluster ManagedStorageConfiguration": { - "FargateEphemeralStorageKmsKeyId": "Specify the AWS Key Management Service key ID for the Fargate ephemeral storage.\n\nThe key must be a single Region key.", - "KmsKeyId": "Specify a AWS Key Management Service key ID to encrypt the managed storage.\n\nThe key must be a single Region key." + "FargateEphemeralStorageKmsKeyId": "Specify the AWS Key Management Service key ID for Fargate ephemeral storage.\n\nWhen you specify a `fargateEphemeralStorageKmsKeyId` , AWS Fargate uses the key to encrypt data at rest in ephemeral storage. For more information about Fargate ephemeral storage encryption, see [Customer managed keys for AWS Fargate ephemeral storage for Amazon ECS](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/fargate-storage-encryption.html) in the *Amazon Elastic Container Service Developer Guide* .\n\nThe key must be a single Region key.", + "KmsKeyId": "Specify a AWS Key Management Service key ID to encrypt Amazon ECS managed storage.\n\nWhen you specify a `kmsKeyId` , Amazon ECS uses the key to encrypt data volumes managed by Amazon ECS that are attached to tasks in the cluster. The following data volumes are managed by Amazon ECS: Amazon EBS. For more information about encryption of Amazon EBS volumes attached to Amazon ECS tasks, see [Encrypt data stored in Amazon EBS volumes for Amazon ECS](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ebs-kms-encryption.html) in the *Amazon Elastic Container Service Developer Guide* .\n\nThe key must be a single Region key." }, "AWS::ECS::Cluster ServiceConnectDefaults": { "Namespace": "The namespace name or full Amazon Resource Name (ARN) of the AWS Cloud Map namespace that's used when you create a service and don't specify a Service Connect configuration. The namespace name can include up to 1024 characters. The name is case-sensitive. The name can't include greater than (>), less than (<), double quotation marks (\"), or slash (/).\n\nIf you enter an existing namespace name or ARN, then that namespace will be used. Any namespace type is supported. The namespace must be in this account and this AWS Region.\n\nIf you enter a new name, a AWS Cloud Map namespace will be created. Amazon ECS creates a AWS Cloud Map namespace with the \"API calls\" method of instance discovery only. This instance discovery method is the \"HTTP\" namespace type in the AWS Command Line Interface . Other types of instance discovery aren't used by Service Connect.\n\nIf you update the cluster with an empty string `\"\"` for the namespace name, the cluster configuration for Service Connect is removed. Note that the namespace will remain in AWS Cloud Map and must be deleted separately.\n\nFor more information about AWS Cloud Map , see [Working with Services](https://docs.aws.amazon.com/cloud-map/latest/dg/working-with-services.html) in the *AWS Cloud Map Developer Guide* ." @@ -15965,7 +16430,7 @@ }, "AWS::ECS::Service LogConfiguration": { "LogDriver": "The log driver to use for the container.\n\nFor tasks on AWS Fargate , the supported log drivers are `awslogs` , `splunk` , and `awsfirelens` .\n\nFor tasks hosted on Amazon EC2 instances, the supported log drivers are `awslogs` , `fluentd` , `gelf` , `json-file` , `journald` , `syslog` , `splunk` , and `awsfirelens` .\n\nFor more information about using the `awslogs` log driver, see [Send Amazon ECS logs to CloudWatch](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/using_awslogs.html) in the *Amazon Elastic Container Service Developer Guide* .\n\nFor more information about using the `awsfirelens` log driver, see [Send Amazon ECS logs to an AWS service or AWS Partner](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/using_firelens.html) .\n\n> If you have a custom driver that isn't listed, you can fork the Amazon ECS container agent project that's [available on GitHub](https://docs.aws.amazon.com/https://github.com/aws/amazon-ecs-agent) and customize it to work with that driver. We encourage you to submit pull requests for changes that you would like to have included. However, we don't currently provide support for running modified copies of this software.", - "Options": "The configuration options to send to the log driver.\n\nThe options you can specify depend on the log driver. Some of the options you can specify when you use the `awslogs` log driver to route logs to Amazon CloudWatch include the following:\n\n- **awslogs-create-group** - Required: No\n\nSpecify whether you want the log group to be created automatically. If this option isn't specified, it defaults to `false` .\n\n> Your IAM policy must include the `logs:CreateLogGroup` permission before you attempt to use `awslogs-create-group` .\n- **awslogs-region** - Required: Yes\n\nSpecify the AWS Region that the `awslogs` log driver is to send your Docker logs to. You can choose to send all of your logs from clusters in different Regions to a single region in CloudWatch Logs. This is so that they're all visible in one location. Otherwise, you can separate them by Region for more granularity. Make sure that the specified log group exists in the Region that you specify with this option.\n- **awslogs-group** - Required: Yes\n\nMake sure to specify a log group that the `awslogs` log driver sends its log streams to.\n- **awslogs-stream-prefix** - Required: Yes, when using Fargate.Optional when using EC2.\n\nUse the `awslogs-stream-prefix` option to associate a log stream with the specified prefix, the container name, and the ID of the Amazon ECS task that the container belongs to. If you specify a prefix with this option, then the log stream takes the format `prefix-name/container-name/ecs-task-id` .\n\nIf you don't specify a prefix with this option, then the log stream is named after the container ID that's assigned by the Docker daemon on the container instance. Because it's difficult to trace logs back to the container that sent them with just the Docker container ID (which is only available on the container instance), we recommend that you specify a prefix with this option.\n\nFor Amazon ECS services, you can use the service name as the prefix. Doing so, you can trace log streams to the service that the container belongs to, the name of the container that sent them, and the ID of the task that the container belongs to.\n\nYou must specify a stream-prefix for your logs to have your logs appear in the Log pane when using the Amazon ECS console.\n- **awslogs-datetime-format** - Required: No\n\nThis option defines a multiline start pattern in Python `strftime` format. A log message consists of a line that matches the pattern and any following lines that don\u2019t match the pattern. The matched line is the delimiter between log messages.\n\nOne example of a use case for using this format is for parsing output such as a stack dump, which might otherwise be logged in multiple entries. The correct pattern allows it to be captured in a single entry.\n\nFor more information, see [awslogs-datetime-format](https://docs.aws.amazon.com/https://docs.docker.com/config/containers/logging/awslogs/#awslogs-datetime-format) .\n\nYou cannot configure both the `awslogs-datetime-format` and `awslogs-multiline-pattern` options.\n\n> Multiline logging performs regular expression parsing and matching of all log messages. This might have a negative impact on logging performance.\n- **awslogs-multiline-pattern** - Required: No\n\nThis option defines a multiline start pattern that uses a regular expression. A log message consists of a line that matches the pattern and any following lines that don\u2019t match the pattern. The matched line is the delimiter between log messages.\n\nFor more information, see [awslogs-multiline-pattern](https://docs.aws.amazon.com/https://docs.docker.com/config/containers/logging/awslogs/#awslogs-multiline-pattern) .\n\nThis option is ignored if `awslogs-datetime-format` is also configured.\n\nYou cannot configure both the `awslogs-datetime-format` and `awslogs-multiline-pattern` options.\n\n> Multiline logging performs regular expression parsing and matching of all log messages. This might have a negative impact on logging performance.\n\nThe following options apply to all supported log drivers.\n\n- **mode** - Required: No\n\nValid values: `non-blocking` | `blocking`\n\nThis option defines the delivery mode of log messages from the container to the log driver specified using `logDriver` . The delivery mode you choose affects application availability when the flow of logs from container is interrupted.\n\nIf you use the `blocking` mode and the flow of logs is interrupted, calls from container code to write to the `stdout` and `stderr` streams will block. The logging thread of the application will block as a result. This may cause the application to become unresponsive and lead to container healthcheck failure.\n\nIf you use the `non-blocking` mode, the container's logs are instead stored in an in-memory intermediate buffer configured with the `max-buffer-size` option. This prevents the application from becoming unresponsive when logs cannot be sent. We recommend using this mode if you want to ensure service availability and are okay with some log loss. For more information, see [Preventing log loss with non-blocking mode in the `awslogs` container log driver](https://docs.aws.amazon.com/containers/preventing-log-loss-with-non-blocking-mode-in-the-awslogs-container-log-driver/) .\n\nYou can set a default `mode` for all containers in a specific AWS Region by using the `defaultLogDriverMode` account setting. If you don't specify the `mode` option or configure the account setting, Amazon ECS will default to the `blocking` mode. For more information about the account setting, see [Default log driver mode](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-account-settings.html#default-log-driver-mode) in the *Amazon Elastic Container Service Developer Guide* .\n- **max-buffer-size** - Required: No\n\nDefault value: `1m`\n\nWhen `non-blocking` mode is used, the `max-buffer-size` log option controls the size of the buffer that's used for intermediate message storage. Make sure to specify an adequate buffer size based on your application. When the buffer fills up, further logs cannot be stored. Logs that cannot be stored are lost.\n\nTo route logs using the `splunk` log router, you need to specify a `splunk-token` and a `splunk-url` .\n\nWhen you use the `awsfirelens` log router to route logs to an AWS Service or AWS Partner Network destination for log storage and analytics, you can set the `log-driver-buffer-limit` option to limit the number of events that are buffered in memory, before being sent to the log router container. It can help to resolve potential log loss issue because high throughput might result in memory running out for the buffer inside of Docker.\n\nOther options you can specify when using `awsfirelens` to route logs depend on the destination. When you export logs to Amazon Data Firehose, you can specify the AWS Region with `region` and a name for the log stream with `delivery_stream` .\n\nWhen you export logs to Amazon Kinesis Data Streams, you can specify an AWS Region with `region` and a data stream name with `stream` .\n\nWhen you export logs to Amazon OpenSearch Service, you can specify options like `Name` , `Host` (OpenSearch Service endpoint without protocol), `Port` , `Index` , `Type` , `Aws_auth` , `Aws_region` , `Suppress_Type_Name` , and `tls` . For more information, see [Under the hood: FireLens for Amazon ECS Tasks](https://docs.aws.amazon.com/containers/under-the-hood-firelens-for-amazon-ecs-tasks/) .\n\nWhen you export logs to Amazon S3, you can specify the bucket using the `bucket` option. You can also specify `region` , `total_file_size` , `upload_timeout` , and `use_put_object` as options.\n\nThis parameter requires version 1.19 of the Docker Remote API or greater on your container instance. To check the Docker Remote API version on your container instance, log in to your container instance and run the following command: `sudo docker version --format '{{.Server.APIVersion}}'`", + "Options": "The configuration options to send to the log driver.\n\nThe options you can specify depend on the log driver. Some of the options you can specify when you use the `awslogs` log driver to route logs to Amazon CloudWatch include the following:\n\n- **awslogs-create-group** - Required: No\n\nSpecify whether you want the log group to be created automatically. If this option isn't specified, it defaults to `false` .\n\n> Your IAM policy must include the `logs:CreateLogGroup` permission before you attempt to use `awslogs-create-group` .\n- **awslogs-region** - Required: Yes\n\nSpecify the AWS Region that the `awslogs` log driver is to send your Docker logs to. You can choose to send all of your logs from clusters in different Regions to a single region in CloudWatch Logs. This is so that they're all visible in one location. Otherwise, you can separate them by Region for more granularity. Make sure that the specified log group exists in the Region that you specify with this option.\n- **awslogs-group** - Required: Yes\n\nMake sure to specify a log group that the `awslogs` log driver sends its log streams to.\n- **awslogs-stream-prefix** - Required: Yes, when using Fargate.Optional when using EC2.\n\nUse the `awslogs-stream-prefix` option to associate a log stream with the specified prefix, the container name, and the ID of the Amazon ECS task that the container belongs to. If you specify a prefix with this option, then the log stream takes the format `prefix-name/container-name/ecs-task-id` .\n\nIf you don't specify a prefix with this option, then the log stream is named after the container ID that's assigned by the Docker daemon on the container instance. Because it's difficult to trace logs back to the container that sent them with just the Docker container ID (which is only available on the container instance), we recommend that you specify a prefix with this option.\n\nFor Amazon ECS services, you can use the service name as the prefix. Doing so, you can trace log streams to the service that the container belongs to, the name of the container that sent them, and the ID of the task that the container belongs to.\n\nYou must specify a stream-prefix for your logs to have your logs appear in the Log pane when using the Amazon ECS console.\n- **awslogs-datetime-format** - Required: No\n\nThis option defines a multiline start pattern in Python `strftime` format. A log message consists of a line that matches the pattern and any following lines that don\u2019t match the pattern. The matched line is the delimiter between log messages.\n\nOne example of a use case for using this format is for parsing output such as a stack dump, which might otherwise be logged in multiple entries. The correct pattern allows it to be captured in a single entry.\n\nFor more information, see [awslogs-datetime-format](https://docs.aws.amazon.com/https://docs.docker.com/config/containers/logging/awslogs/#awslogs-datetime-format) .\n\nYou cannot configure both the `awslogs-datetime-format` and `awslogs-multiline-pattern` options.\n\n> Multiline logging performs regular expression parsing and matching of all log messages. This might have a negative impact on logging performance.\n- **awslogs-multiline-pattern** - Required: No\n\nThis option defines a multiline start pattern that uses a regular expression. A log message consists of a line that matches the pattern and any following lines that don\u2019t match the pattern. The matched line is the delimiter between log messages.\n\nFor more information, see [awslogs-multiline-pattern](https://docs.aws.amazon.com/https://docs.docker.com/config/containers/logging/awslogs/#awslogs-multiline-pattern) .\n\nThis option is ignored if `awslogs-datetime-format` is also configured.\n\nYou cannot configure both the `awslogs-datetime-format` and `awslogs-multiline-pattern` options.\n\n> Multiline logging performs regular expression parsing and matching of all log messages. This might have a negative impact on logging performance.\n\nThe following options apply to all supported log drivers.\n\n- **mode** - Required: No\n\nValid values: `non-blocking` | `blocking`\n\nThis option defines the delivery mode of log messages from the container to the log driver specified using `logDriver` . The delivery mode you choose affects application availability when the flow of logs from container is interrupted.\n\nIf you use the `blocking` mode and the flow of logs is interrupted, calls from container code to write to the `stdout` and `stderr` streams will block. The logging thread of the application will block as a result. This may cause the application to become unresponsive and lead to container healthcheck failure.\n\nIf you use the `non-blocking` mode, the container's logs are instead stored in an in-memory intermediate buffer configured with the `max-buffer-size` option. This prevents the application from becoming unresponsive when logs cannot be sent. We recommend using this mode if you want to ensure service availability and are okay with some log loss. For more information, see [Preventing log loss with non-blocking mode in the `awslogs` container log driver](https://docs.aws.amazon.com/containers/preventing-log-loss-with-non-blocking-mode-in-the-awslogs-container-log-driver/) .\n\nYou can set a default `mode` for all containers in a specific AWS Region by using the `defaultLogDriverMode` account setting. If you don't specify the `mode` option or configure the account setting, Amazon ECS will default to the `blocking` mode. For more information about the account setting, see [Default log driver mode](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-account-settings.html#default-log-driver-mode) in the *Amazon Elastic Container Service Developer Guide* .\n\n> On June 25, 2025, Amazon ECS is changing the default log driver mode from `blocking` to `non-blocking` to prioritize task availability over logging. To continue using the `blocking` mode after this change, do one of the following:\n> \n> - Set the `mode` option in your container definition's `logConfiguration` as `blocking` .\n> - Set the `defaultLogDriverMode` account setting to `blocking` .\n- **max-buffer-size** - Required: No\n\nDefault value: `1m`\n\nWhen `non-blocking` mode is used, the `max-buffer-size` log option controls the size of the buffer that's used for intermediate message storage. Make sure to specify an adequate buffer size based on your application. When the buffer fills up, further logs cannot be stored. Logs that cannot be stored are lost.\n\nTo route logs using the `splunk` log router, you need to specify a `splunk-token` and a `splunk-url` .\n\nWhen you use the `awsfirelens` log router to route logs to an AWS Service or AWS Partner Network destination for log storage and analytics, you can set the `log-driver-buffer-limit` option to limit the number of events that are buffered in memory, before being sent to the log router container. It can help to resolve potential log loss issue because high throughput might result in memory running out for the buffer inside of Docker.\n\nOther options you can specify when using `awsfirelens` to route logs depend on the destination. When you export logs to Amazon Data Firehose, you can specify the AWS Region with `region` and a name for the log stream with `delivery_stream` .\n\nWhen you export logs to Amazon Kinesis Data Streams, you can specify an AWS Region with `region` and a data stream name with `stream` .\n\nWhen you export logs to Amazon OpenSearch Service, you can specify options like `Name` , `Host` (OpenSearch Service endpoint without protocol), `Port` , `Index` , `Type` , `Aws_auth` , `Aws_region` , `Suppress_Type_Name` , and `tls` . For more information, see [Under the hood: FireLens for Amazon ECS Tasks](https://docs.aws.amazon.com/containers/under-the-hood-firelens-for-amazon-ecs-tasks/) .\n\nWhen you export logs to Amazon S3, you can specify the bucket using the `bucket` option. You can also specify `region` , `total_file_size` , `upload_timeout` , and `use_put_object` as options.\n\nThis parameter requires version 1.19 of the Docker Remote API or greater on your container instance. To check the Docker Remote API version on your container instance, log in to your container instance and run the following command: `sudo docker version --format '{{.Server.APIVersion}}'`", "SecretOptions": "The secrets to pass to the log configuration. For more information, see [Specifying sensitive data](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/specifying-sensitive-data.html) in the *Amazon Elastic Container Service Developer Guide* ." }, "AWS::ECS::Service NetworkConfiguration": { @@ -16010,15 +16475,16 @@ "RoleArn": "The Amazon Resource Name (ARN) of the IAM role that's associated with the Service Connect TLS." }, "AWS::ECS::Service ServiceManagedEBSVolumeConfiguration": { - "Encrypted": "Indicates whether the volume should be encrypted. If no value is specified, encryption is turned on by default. This parameter maps 1:1 with the `Encrypted` parameter of the [CreateVolume API](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateVolume.html) in the *Amazon EC2 API Reference* .", - "FilesystemType": "The filesystem type for the volume. For volumes created from a snapshot, you must specify the same filesystem type that the volume was using when the snapshot was created. If there is a filesystem type mismatch, the task will fail to start.\n\nThe available Linux filesystem types are `ext3` , `ext4` , and `xfs` . If no value is specified, the `xfs` filesystem type is used by default.\n\nThe available Windows filesystem types are `NTFS` .", + "Encrypted": "Indicates whether the volume should be encrypted. If you turn on Region-level Amazon EBS encryption by default but set this value as `false` , the setting is overridden and the volume is encrypted with the KMS key specified for Amazon EBS encryption by default. This parameter maps 1:1 with the `Encrypted` parameter of the [CreateVolume API](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateVolume.html) in the *Amazon EC2 API Reference* .", + "FilesystemType": "The filesystem type for the volume. For volumes created from a snapshot, you must specify the same filesystem type that the volume was using when the snapshot was created. If there is a filesystem type mismatch, the tasks will fail to start.\n\nThe available Linux filesystem types are `ext3` , `ext4` , and `xfs` . If no value is specified, the `xfs` filesystem type is used by default.\n\nThe available Windows filesystem types are `NTFS` .", "Iops": "The number of I/O operations per second (IOPS). For `gp3` , `io1` , and `io2` volumes, this represents the number of IOPS that are provisioned for the volume. For `gp2` volumes, this represents the baseline performance of the volume and the rate at which the volume accumulates I/O credits for bursting.\n\nThe following are the supported values for each volume type.\n\n- `gp3` : 3,000 - 16,000 IOPS\n- `io1` : 100 - 64,000 IOPS\n- `io2` : 100 - 256,000 IOPS\n\nThis parameter is required for `io1` and `io2` volume types. The default for `gp3` volumes is `3,000 IOPS` . This parameter is not supported for `st1` , `sc1` , or `standard` volume types.\n\nThis parameter maps 1:1 with the `Iops` parameter of the [CreateVolume API](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateVolume.html) in the *Amazon EC2 API Reference* .", - "KmsKeyId": "The Amazon Resource Name (ARN) identifier of the AWS Key Management Service key to use for Amazon EBS encryption. When encryption is turned on and no AWS Key Management Service key is specified, the default AWS managed key for Amazon EBS volumes is used. This parameter maps 1:1 with the `KmsKeyId` parameter of the [CreateVolume API](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateVolume.html) in the *Amazon EC2 API Reference* .\n\n> AWS authenticates the AWS Key Management Service key asynchronously. Therefore, if you specify an ID, alias, or ARN that is invalid, the action can appear to complete, but eventually fails.", + "KmsKeyId": "The Amazon Resource Name (ARN) identifier of the AWS Key Management Service key to use for Amazon EBS encryption. When a key is specified using this parameter, it overrides Amazon EBS default encryption or any KMS key that you specified for cluster-level managed storage encryption. This parameter maps 1:1 with the `KmsKeyId` parameter of the [CreateVolume API](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateVolume.html) in the *Amazon EC2 API Reference* . For more information about encrypting Amazon EBS volumes attached to tasks, see [Encrypt data stored in Amazon EBS volumes attached to Amazon ECS tasks](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ebs-kms-encryption.html) .\n\n> AWS authenticates the AWS Key Management Service key asynchronously. Therefore, if you specify an ID, alias, or ARN that is invalid, the action can appear to complete, but eventually fails.", "RoleArn": "The ARN of the IAM role to associate with this volume. This is the Amazon ECS infrastructure IAM role that is used to manage your AWS infrastructure. We recommend using the Amazon ECS-managed `AmazonECSInfrastructureRolePolicyForVolumes` IAM policy with this role. For more information, see [Amazon ECS infrastructure IAM role](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/infrastructure_IAM_role.html) in the *Amazon ECS Developer Guide* .", "SizeInGiB": "The size of the volume in GiB. You must specify either a volume size or a snapshot ID. If you specify a snapshot ID, the snapshot size is used for the volume size by default. You can optionally specify a volume size greater than or equal to the snapshot size. This parameter maps 1:1 with the `Size` parameter of the [CreateVolume API](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateVolume.html) in the *Amazon EC2 API Reference* .\n\nThe following are the supported volume size values for each volume type.\n\n- `gp2` and `gp3` : 1-16,384\n- `io1` and `io2` : 4-16,384\n- `st1` and `sc1` : 125-16,384\n- `standard` : 1-1,024", - "SnapshotId": "The snapshot that Amazon ECS uses to create the volume. You must specify either a snapshot ID or a volume size. This parameter maps 1:1 with the `SnapshotId` parameter of the [CreateVolume API](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateVolume.html) in the *Amazon EC2 API Reference* .", + "SnapshotId": "The snapshot that Amazon ECS uses to create volumes for attachment to tasks maintained by the service. You must specify either `snapshotId` or `sizeInGiB` in your volume configuration. This parameter maps 1:1 with the `SnapshotId` parameter of the [CreateVolume API](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateVolume.html) in the *Amazon EC2 API Reference* .", "TagSpecifications": "The tags to apply to the volume. Amazon ECS applies service-managed tags by default. This parameter maps 1:1 with the `TagSpecifications.N` parameter of the [CreateVolume API](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateVolume.html) in the *Amazon EC2 API Reference* .", "Throughput": "The throughput to provision for a volume, in MiB/s, with a maximum of 1,000 MiB/s. This parameter maps 1:1 with the `Throughput` parameter of the [CreateVolume API](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateVolume.html) in the *Amazon EC2 API Reference* .\n\n> This parameter is only supported for the `gp3` volume type.", + "VolumeInitializationRate": "The rate, in MiB/s, at which data is fetched from a snapshot of an existing EBS volume to create new volumes for attachment to the tasks maintained by the service. This property can be specified only if you specify a `snapshotId` . For more information, see [Initialize Amazon EBS volumes](https://docs.aws.amazon.com/ebs/latest/userguide/initalize-volume.html) in the *Amazon EBS User Guide* .", "VolumeType": "The volume type. This parameter maps 1:1 with the `VolumeType` parameter of the [CreateVolume API](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateVolume.html) in the *Amazon EC2 API Reference* . For more information, see [Amazon EBS volume types](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-volume-types.html) in the *Amazon EC2 User Guide* .\n\nThe following are the supported volume types.\n\n- General Purpose SSD: `gp2` | `gp3`\n- Provisioned IOPS SSD: `io1` | `io2`\n- Throughput Optimized HDD: `st1`\n- Cold HDD: `sc1`\n- Magnetic: `standard`\n\n> The magnetic volume type is not supported on Fargate." }, "AWS::ECS::Service ServiceRegistry": { @@ -16046,7 +16512,7 @@ }, "AWS::ECS::TaskDefinition": { "ContainerDefinitions": "A list of container definitions in JSON format that describe the different containers that make up your task. For more information about container definition parameters and defaults, see [Amazon ECS Task Definitions](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_defintions.html) in the *Amazon Elastic Container Service Developer Guide* .", - "Cpu": "The number of `cpu` units used by the task. If you use the EC2 launch type, this field is optional. Any value can be used. If you use the Fargate launch type, this field is required. You must use one of the following values. The value that you choose determines your range of valid values for the `memory` parameter.\n\nIf you're using the EC2 launch type or the external launch type, this field is optional. Supported values are between `128` CPU units ( `0.125` vCPUs) and `196608` CPU units ( `192` vCPUs). The CPU units cannot be less than 1 vCPU when you use Windows containers on Fargate.\n\n- 256 (.25 vCPU) - Available `memory` values: 512 (0.5 GB), 1024 (1 GB), 2048 (2 GB)\n- 512 (.5 vCPU) - Available `memory` values: 1024 (1 GB), 2048 (2 GB), 3072 (3 GB), 4096 (4 GB)\n- 1024 (1 vCPU) - Available `memory` values: 2048 (2 GB), 3072 (3 GB), 4096 (4 GB), 5120 (5 GB), 6144 (6 GB), 7168 (7 GB), 8192 (8 GB)\n- 2048 (2 vCPU) - Available `memory` values: 4096 (4 GB) and 16384 (16 GB) in increments of 1024 (1 GB)\n- 4096 (4 vCPU) - Available `memory` values: 8192 (8 GB) and 30720 (30 GB) in increments of 1024 (1 GB)\n- 8192 (8 vCPU) - Available `memory` values: 16 GB and 60 GB in 4 GB increments\n\nThis option requires Linux platform `1.4.0` or later.\n- 16384 (16vCPU) - Available `memory` values: 32GB and 120 GB in 8 GB increments\n\nThis option requires Linux platform `1.4.0` or later.", + "Cpu": "The number of `cpu` units used by the task. If you use the EC2 launch type, this field is optional. Any value can be used. If you use the Fargate launch type, this field is required. You must use one of the following values. The value that you choose determines your range of valid values for the `memory` parameter.\n\nIf you're using the EC2 launch type or the external launch type, this field is optional. Supported values are between `128` CPU units ( `0.125` vCPUs) and `196608` CPU units ( `192` vCPUs).\n\nThis field is required for Fargate. For information about the valid values, see [Task size](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#task_size) in the *Amazon Elastic Container Service Developer Guide* .", "EnableFaultInjection": "Enables fault injection and allows for fault injection requests to be accepted from the task's containers. The default value is `false` .", "EphemeralStorage": "The ephemeral storage settings to use for tasks run with the task definition.", "ExecutionRoleArn": "The Amazon Resource Name (ARN) of the task execution role that grants the Amazon ECS container agent permission to make AWS API calls on your behalf. For informationabout the required IAM roles for Amazon ECS, see [IAM roles for Amazon ECS](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/security-ecs-iam-role-overview.html) in the *Amazon Elastic Container Service Developer Guide* .", @@ -16072,7 +16538,7 @@ "Command": "The command that's passed to the container. This parameter maps to `Cmd` in the docker container create command and the `COMMAND` parameter to docker run. If there are multiple arguments, each argument is a separated string in the array.", "Cpu": "The number of `cpu` units reserved for the container. This parameter maps to `CpuShares` in the docker container create commandand the `--cpu-shares` option to docker run.\n\nThis field is optional for tasks using the Fargate launch type, and the only requirement is that the total amount of CPU reserved for all containers within a task be lower than the task-level `cpu` value.\n\n> You can determine the number of CPU units that are available per EC2 instance type by multiplying the vCPUs listed for that instance type on the [Amazon EC2 Instances](https://docs.aws.amazon.com/ec2/instance-types/) detail page by 1,024. \n\nLinux containers share unallocated CPU units with other containers on the container instance with the same ratio as their allocated amount. For example, if you run a single-container task on a single-core instance type with 512 CPU units specified for that container, and that's the only task running on the container instance, that container could use the full 1,024 CPU unit share at any given time. However, if you launched another copy of the same task on that container instance, each task is guaranteed a minimum of 512 CPU units when needed. Moreover, each container could float to higher CPU usage if the other container was not using it. If both tasks were 100% active all of the time, they would be limited to 512 CPU units.\n\nOn Linux container instances, the Docker daemon on the container instance uses the CPU value to calculate the relative CPU share ratios for running containers. The minimum valid CPU share value that the Linux kernel allows is 2, and the maximum valid CPU share value that the Linux kernel allows is 262144. However, the CPU parameter isn't required, and you can use CPU values below 2 or above 262144 in your container definitions. For CPU values below 2 (including null) or above 262144, the behavior varies based on your Amazon ECS container agent version:\n\n- *Agent versions less than or equal to 1.1.0:* Null and zero CPU values are passed to Docker as 0, which Docker then converts to 1,024 CPU shares. CPU values of 1 are passed to Docker as 1, which the Linux kernel converts to two CPU shares.\n- *Agent versions greater than or equal to 1.2.0:* Null, zero, and CPU values of 1 are passed to Docker as 2.\n- *Agent versions greater than or equal to 1.84.0:* CPU values greater than 256 vCPU are passed to Docker as 256, which is equivalent to 262144 CPU shares.\n\nOn Windows container instances, the CPU limit is enforced as an absolute limit, or a quota. Windows containers only have access to the specified amount of CPU that's described in the task definition. A null or zero CPU value is passed to Docker as `0` , which Windows interprets as 1% of one CPU.", "CredentialSpecs": "A list of ARNs in SSM or Amazon S3 to a credential spec ( `CredSpec` ) file that configures the container for Active Directory authentication. We recommend that you use this parameter instead of the `dockerSecurityOptions` . The maximum number of ARNs is 1.\n\nThere are two formats for each ARN.\n\n- **credentialspecdomainless:MyARN** - You use `credentialspecdomainless:MyARN` to provide a `CredSpec` with an additional section for a secret in AWS Secrets Manager . You provide the login credentials to the domain in the secret.\n\nEach task that runs on any container instance can join different domains.\n\nYou can use this format without joining the container instance to a domain.\n- **credentialspec:MyARN** - You use `credentialspec:MyARN` to provide a `CredSpec` for a single domain.\n\nYou must join the container instance to the domain before you start any tasks that use this task definition.\n\nIn both formats, replace `MyARN` with the ARN in SSM or Amazon S3.\n\nIf you provide a `credentialspecdomainless:MyARN` , the `credspec` must provide a ARN in AWS Secrets Manager for a secret containing the username, password, and the domain to connect to. For better security, the instance isn't joined to the domain for domainless authentication. Other applications on the instance can't use the domainless credentials. You can use this parameter to run tasks on the same instance, even it the tasks need to join different domains. For more information, see [Using gMSAs for Windows Containers](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/windows-gmsa.html) and [Using gMSAs for Linux Containers](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/linux-gmsa.html) .", - "DependsOn": "The dependencies defined for container startup and shutdown. A container can contain multiple dependencies. When a dependency is defined for container startup, for container shutdown it is reversed.\n\nFor tasks using the EC2 launch type, the container instances require at least version 1.26.0 of the container agent to turn on container dependencies. However, we recommend using the latest container agent version. For information about checking your agent version and updating to the latest version, see [Updating the Amazon ECS Container Agent](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-agent-update.html) in the *Amazon Elastic Container Service Developer Guide* . If you're using an Amazon ECS-optimized Linux AMI, your instance needs at least version 1.26.0-1 of the `ecs-init` package. If your container instances are launched from version `20190301` or later, then they contain the required versions of the container agent and `ecs-init` . For more information, see [Amazon ECS-optimized Linux AMI](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html) in the *Amazon Elastic Container Service Developer Guide* .\n\nFor tasks using the Fargate launch type, the task or service requires the following platforms:\n\n- Linux platform version `1.3.0` or later.\n- Windows platform version `1.0.0` or later.\n\nIf the task definition is used in a blue/green deployment that uses [AWS::CodeDeploy::DeploymentGroup BlueGreenDeploymentConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-codedeploy-deploymentgroup-bluegreendeploymentconfiguration.html) , the `dependsOn` parameter is not supported. For more information see [Issue #680](https://docs.aws.amazon.com/https://github.com/aws-cloudformation/cloudformation-coverage-roadmap/issues/680) on the on the GitHub website.", + "DependsOn": "The dependencies defined for container startup and shutdown. A container can contain multiple dependencies. When a dependency is defined for container startup, for container shutdown it is reversed.\n\nFor tasks using the EC2 launch type, the container instances require at least version 1.26.0 of the container agent to turn on container dependencies. However, we recommend using the latest container agent version. For information about checking your agent version and updating to the latest version, see [Updating the Amazon ECS Container Agent](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-agent-update.html) in the *Amazon Elastic Container Service Developer Guide* . If you're using an Amazon ECS-optimized Linux AMI, your instance needs at least version 1.26.0-1 of the `ecs-init` package. If your container instances are launched from version `20190301` or later, then they contain the required versions of the container agent and `ecs-init` . For more information, see [Amazon ECS-optimized Linux AMI](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html) in the *Amazon Elastic Container Service Developer Guide* .\n\nFor tasks using the Fargate launch type, the task or service requires the following platforms:\n\n- Linux platform version `1.3.0` or later.\n- Windows platform version `1.0.0` or later.\n\nIf the task definition is used in a blue/green deployment that uses [AWS::CodeDeploy::DeploymentGroup BlueGreenDeploymentConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-codedeploy-deploymentgroup-bluegreendeploymentconfiguration.html) , the `dependsOn` parameter is not supported.", "DisableNetworking": "When this parameter is true, networking is off within the container. This parameter maps to `NetworkDisabled` in the docker container create command.\n\n> This parameter is not supported for Windows containers.", "DnsSearchDomains": "A list of DNS search domains that are presented to the container. This parameter maps to `DnsSearch` in the docker container create command and the `--dns-search` option to docker run.\n\n> This parameter is not supported for Windows containers.", "DnsServers": "A list of DNS servers that are presented to the container. This parameter maps to `Dns` in the docker container create command and the `--dns` option to docker run.\n\n> This parameter is not supported for Windows containers.", @@ -16192,7 +16658,7 @@ }, "AWS::ECS::TaskDefinition LogConfiguration": { "LogDriver": "The log driver to use for the container.\n\nFor tasks on AWS Fargate , the supported log drivers are `awslogs` , `splunk` , and `awsfirelens` .\n\nFor tasks hosted on Amazon EC2 instances, the supported log drivers are `awslogs` , `fluentd` , `gelf` , `json-file` , `journald` , `syslog` , `splunk` , and `awsfirelens` .\n\nFor more information about using the `awslogs` log driver, see [Send Amazon ECS logs to CloudWatch](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/using_awslogs.html) in the *Amazon Elastic Container Service Developer Guide* .\n\nFor more information about using the `awsfirelens` log driver, see [Send Amazon ECS logs to an AWS service or AWS Partner](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/using_firelens.html) .\n\n> If you have a custom driver that isn't listed, you can fork the Amazon ECS container agent project that's [available on GitHub](https://docs.aws.amazon.com/https://github.com/aws/amazon-ecs-agent) and customize it to work with that driver. We encourage you to submit pull requests for changes that you would like to have included. However, we don't currently provide support for running modified copies of this software.", - "Options": "The configuration options to send to the log driver.\n\nThe options you can specify depend on the log driver. Some of the options you can specify when you use the `awslogs` log driver to route logs to Amazon CloudWatch include the following:\n\n- **awslogs-create-group** - Required: No\n\nSpecify whether you want the log group to be created automatically. If this option isn't specified, it defaults to `false` .\n\n> Your IAM policy must include the `logs:CreateLogGroup` permission before you attempt to use `awslogs-create-group` .\n- **awslogs-region** - Required: Yes\n\nSpecify the AWS Region that the `awslogs` log driver is to send your Docker logs to. You can choose to send all of your logs from clusters in different Regions to a single region in CloudWatch Logs. This is so that they're all visible in one location. Otherwise, you can separate them by Region for more granularity. Make sure that the specified log group exists in the Region that you specify with this option.\n- **awslogs-group** - Required: Yes\n\nMake sure to specify a log group that the `awslogs` log driver sends its log streams to.\n- **awslogs-stream-prefix** - Required: Yes, when using Fargate.Optional when using EC2.\n\nUse the `awslogs-stream-prefix` option to associate a log stream with the specified prefix, the container name, and the ID of the Amazon ECS task that the container belongs to. If you specify a prefix with this option, then the log stream takes the format `prefix-name/container-name/ecs-task-id` .\n\nIf you don't specify a prefix with this option, then the log stream is named after the container ID that's assigned by the Docker daemon on the container instance. Because it's difficult to trace logs back to the container that sent them with just the Docker container ID (which is only available on the container instance), we recommend that you specify a prefix with this option.\n\nFor Amazon ECS services, you can use the service name as the prefix. Doing so, you can trace log streams to the service that the container belongs to, the name of the container that sent them, and the ID of the task that the container belongs to.\n\nYou must specify a stream-prefix for your logs to have your logs appear in the Log pane when using the Amazon ECS console.\n- **awslogs-datetime-format** - Required: No\n\nThis option defines a multiline start pattern in Python `strftime` format. A log message consists of a line that matches the pattern and any following lines that don\u2019t match the pattern. The matched line is the delimiter between log messages.\n\nOne example of a use case for using this format is for parsing output such as a stack dump, which might otherwise be logged in multiple entries. The correct pattern allows it to be captured in a single entry.\n\nFor more information, see [awslogs-datetime-format](https://docs.aws.amazon.com/https://docs.docker.com/config/containers/logging/awslogs/#awslogs-datetime-format) .\n\nYou cannot configure both the `awslogs-datetime-format` and `awslogs-multiline-pattern` options.\n\n> Multiline logging performs regular expression parsing and matching of all log messages. This might have a negative impact on logging performance.\n- **awslogs-multiline-pattern** - Required: No\n\nThis option defines a multiline start pattern that uses a regular expression. A log message consists of a line that matches the pattern and any following lines that don\u2019t match the pattern. The matched line is the delimiter between log messages.\n\nFor more information, see [awslogs-multiline-pattern](https://docs.aws.amazon.com/https://docs.docker.com/config/containers/logging/awslogs/#awslogs-multiline-pattern) .\n\nThis option is ignored if `awslogs-datetime-format` is also configured.\n\nYou cannot configure both the `awslogs-datetime-format` and `awslogs-multiline-pattern` options.\n\n> Multiline logging performs regular expression parsing and matching of all log messages. This might have a negative impact on logging performance.\n\nThe following options apply to all supported log drivers.\n\n- **mode** - Required: No\n\nValid values: `non-blocking` | `blocking`\n\nThis option defines the delivery mode of log messages from the container to the log driver specified using `logDriver` . The delivery mode you choose affects application availability when the flow of logs from container is interrupted.\n\nIf you use the `blocking` mode and the flow of logs is interrupted, calls from container code to write to the `stdout` and `stderr` streams will block. The logging thread of the application will block as a result. This may cause the application to become unresponsive and lead to container healthcheck failure.\n\nIf you use the `non-blocking` mode, the container's logs are instead stored in an in-memory intermediate buffer configured with the `max-buffer-size` option. This prevents the application from becoming unresponsive when logs cannot be sent. We recommend using this mode if you want to ensure service availability and are okay with some log loss. For more information, see [Preventing log loss with non-blocking mode in the `awslogs` container log driver](https://docs.aws.amazon.com/containers/preventing-log-loss-with-non-blocking-mode-in-the-awslogs-container-log-driver/) .\n\nYou can set a default `mode` for all containers in a specific AWS Region by using the `defaultLogDriverMode` account setting. If you don't specify the `mode` option or configure the account setting, Amazon ECS will default to the `blocking` mode. For more information about the account setting, see [Default log driver mode](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-account-settings.html#default-log-driver-mode) in the *Amazon Elastic Container Service Developer Guide* .\n- **max-buffer-size** - Required: No\n\nDefault value: `1m`\n\nWhen `non-blocking` mode is used, the `max-buffer-size` log option controls the size of the buffer that's used for intermediate message storage. Make sure to specify an adequate buffer size based on your application. When the buffer fills up, further logs cannot be stored. Logs that cannot be stored are lost.\n\nTo route logs using the `splunk` log router, you need to specify a `splunk-token` and a `splunk-url` .\n\nWhen you use the `awsfirelens` log router to route logs to an AWS Service or AWS Partner Network destination for log storage and analytics, you can set the `log-driver-buffer-limit` option to limit the number of events that are buffered in memory, before being sent to the log router container. It can help to resolve potential log loss issue because high throughput might result in memory running out for the buffer inside of Docker.\n\nOther options you can specify when using `awsfirelens` to route logs depend on the destination. When you export logs to Amazon Data Firehose, you can specify the AWS Region with `region` and a name for the log stream with `delivery_stream` .\n\nWhen you export logs to Amazon Kinesis Data Streams, you can specify an AWS Region with `region` and a data stream name with `stream` .\n\nWhen you export logs to Amazon OpenSearch Service, you can specify options like `Name` , `Host` (OpenSearch Service endpoint without protocol), `Port` , `Index` , `Type` , `Aws_auth` , `Aws_region` , `Suppress_Type_Name` , and `tls` . For more information, see [Under the hood: FireLens for Amazon ECS Tasks](https://docs.aws.amazon.com/containers/under-the-hood-firelens-for-amazon-ecs-tasks/) .\n\nWhen you export logs to Amazon S3, you can specify the bucket using the `bucket` option. You can also specify `region` , `total_file_size` , `upload_timeout` , and `use_put_object` as options.\n\nThis parameter requires version 1.19 of the Docker Remote API or greater on your container instance. To check the Docker Remote API version on your container instance, log in to your container instance and run the following command: `sudo docker version --format '{{.Server.APIVersion}}'`", + "Options": "The configuration options to send to the log driver.\n\nThe options you can specify depend on the log driver. Some of the options you can specify when you use the `awslogs` log driver to route logs to Amazon CloudWatch include the following:\n\n- **awslogs-create-group** - Required: No\n\nSpecify whether you want the log group to be created automatically. If this option isn't specified, it defaults to `false` .\n\n> Your IAM policy must include the `logs:CreateLogGroup` permission before you attempt to use `awslogs-create-group` .\n- **awslogs-region** - Required: Yes\n\nSpecify the AWS Region that the `awslogs` log driver is to send your Docker logs to. You can choose to send all of your logs from clusters in different Regions to a single region in CloudWatch Logs. This is so that they're all visible in one location. Otherwise, you can separate them by Region for more granularity. Make sure that the specified log group exists in the Region that you specify with this option.\n- **awslogs-group** - Required: Yes\n\nMake sure to specify a log group that the `awslogs` log driver sends its log streams to.\n- **awslogs-stream-prefix** - Required: Yes, when using Fargate.Optional when using EC2.\n\nUse the `awslogs-stream-prefix` option to associate a log stream with the specified prefix, the container name, and the ID of the Amazon ECS task that the container belongs to. If you specify a prefix with this option, then the log stream takes the format `prefix-name/container-name/ecs-task-id` .\n\nIf you don't specify a prefix with this option, then the log stream is named after the container ID that's assigned by the Docker daemon on the container instance. Because it's difficult to trace logs back to the container that sent them with just the Docker container ID (which is only available on the container instance), we recommend that you specify a prefix with this option.\n\nFor Amazon ECS services, you can use the service name as the prefix. Doing so, you can trace log streams to the service that the container belongs to, the name of the container that sent them, and the ID of the task that the container belongs to.\n\nYou must specify a stream-prefix for your logs to have your logs appear in the Log pane when using the Amazon ECS console.\n- **awslogs-datetime-format** - Required: No\n\nThis option defines a multiline start pattern in Python `strftime` format. A log message consists of a line that matches the pattern and any following lines that don\u2019t match the pattern. The matched line is the delimiter between log messages.\n\nOne example of a use case for using this format is for parsing output such as a stack dump, which might otherwise be logged in multiple entries. The correct pattern allows it to be captured in a single entry.\n\nFor more information, see [awslogs-datetime-format](https://docs.aws.amazon.com/https://docs.docker.com/config/containers/logging/awslogs/#awslogs-datetime-format) .\n\nYou cannot configure both the `awslogs-datetime-format` and `awslogs-multiline-pattern` options.\n\n> Multiline logging performs regular expression parsing and matching of all log messages. This might have a negative impact on logging performance.\n- **awslogs-multiline-pattern** - Required: No\n\nThis option defines a multiline start pattern that uses a regular expression. A log message consists of a line that matches the pattern and any following lines that don\u2019t match the pattern. The matched line is the delimiter between log messages.\n\nFor more information, see [awslogs-multiline-pattern](https://docs.aws.amazon.com/https://docs.docker.com/config/containers/logging/awslogs/#awslogs-multiline-pattern) .\n\nThis option is ignored if `awslogs-datetime-format` is also configured.\n\nYou cannot configure both the `awslogs-datetime-format` and `awslogs-multiline-pattern` options.\n\n> Multiline logging performs regular expression parsing and matching of all log messages. This might have a negative impact on logging performance.\n\nThe following options apply to all supported log drivers.\n\n- **mode** - Required: No\n\nValid values: `non-blocking` | `blocking`\n\nThis option defines the delivery mode of log messages from the container to the log driver specified using `logDriver` . The delivery mode you choose affects application availability when the flow of logs from container is interrupted.\n\nIf you use the `blocking` mode and the flow of logs is interrupted, calls from container code to write to the `stdout` and `stderr` streams will block. The logging thread of the application will block as a result. This may cause the application to become unresponsive and lead to container healthcheck failure.\n\nIf you use the `non-blocking` mode, the container's logs are instead stored in an in-memory intermediate buffer configured with the `max-buffer-size` option. This prevents the application from becoming unresponsive when logs cannot be sent. We recommend using this mode if you want to ensure service availability and are okay with some log loss. For more information, see [Preventing log loss with non-blocking mode in the `awslogs` container log driver](https://docs.aws.amazon.com/containers/preventing-log-loss-with-non-blocking-mode-in-the-awslogs-container-log-driver/) .\n\nYou can set a default `mode` for all containers in a specific AWS Region by using the `defaultLogDriverMode` account setting. If you don't specify the `mode` option or configure the account setting, Amazon ECS will default to the `blocking` mode. For more information about the account setting, see [Default log driver mode](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-account-settings.html#default-log-driver-mode) in the *Amazon Elastic Container Service Developer Guide* .\n\n> On June 25, 2025, Amazon ECS is changing the default log driver mode from `blocking` to `non-blocking` to prioritize task availability over logging. To continue using the `blocking` mode after this change, do one of the following:\n> \n> - Set the `mode` option in your container definition's `logConfiguration` as `blocking` .\n> - Set the `defaultLogDriverMode` account setting to `blocking` .\n- **max-buffer-size** - Required: No\n\nDefault value: `1m`\n\nWhen `non-blocking` mode is used, the `max-buffer-size` log option controls the size of the buffer that's used for intermediate message storage. Make sure to specify an adequate buffer size based on your application. When the buffer fills up, further logs cannot be stored. Logs that cannot be stored are lost.\n\nTo route logs using the `splunk` log router, you need to specify a `splunk-token` and a `splunk-url` .\n\nWhen you use the `awsfirelens` log router to route logs to an AWS Service or AWS Partner Network destination for log storage and analytics, you can set the `log-driver-buffer-limit` option to limit the number of events that are buffered in memory, before being sent to the log router container. It can help to resolve potential log loss issue because high throughput might result in memory running out for the buffer inside of Docker.\n\nOther options you can specify when using `awsfirelens` to route logs depend on the destination. When you export logs to Amazon Data Firehose, you can specify the AWS Region with `region` and a name for the log stream with `delivery_stream` .\n\nWhen you export logs to Amazon Kinesis Data Streams, you can specify an AWS Region with `region` and a data stream name with `stream` .\n\nWhen you export logs to Amazon OpenSearch Service, you can specify options like `Name` , `Host` (OpenSearch Service endpoint without protocol), `Port` , `Index` , `Type` , `Aws_auth` , `Aws_region` , `Suppress_Type_Name` , and `tls` . For more information, see [Under the hood: FireLens for Amazon ECS Tasks](https://docs.aws.amazon.com/containers/under-the-hood-firelens-for-amazon-ecs-tasks/) .\n\nWhen you export logs to Amazon S3, you can specify the bucket using the `bucket` option. You can also specify `region` , `total_file_size` , `upload_timeout` , and `use_put_object` as options.\n\nThis parameter requires version 1.19 of the Docker Remote API or greater on your container instance. To check the Docker Remote API version on your container instance, log in to your container instance and run the following command: `sudo docker version --format '{{.Server.APIVersion}}'`", "SecretOptions": "The secrets to pass to the log configuration. For more information, see [Specifying sensitive data](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/specifying-sensitive-data.html) in the *Amazon Elastic Container Service Developer Guide* ." }, "AWS::ECS::TaskDefinition MountPoint": { @@ -16235,7 +16701,7 @@ }, "AWS::ECS::TaskDefinition SystemControl": { "Namespace": "The namespaced kernel parameter to set a `value` for.", - "Value": "The namespaced kernel parameter to set a `value` for.\n\nValid IPC namespace values: `\"kernel.msgmax\" | \"kernel.msgmnb\" | \"kernel.msgmni\" | \"kernel.sem\" | \"kernel.shmall\" | \"kernel.shmmax\" | \"kernel.shmmni\" | \"kernel.shm_rmid_forced\"` , and `Sysctls` that start with `\"fs.mqueue.*\"`\n\nValid network namespace values: `Sysctls` that start with `\"net.*\"`\n\nAll of these values are supported by Fargate." + "Value": "The namespaced kernel parameter to set a `value` for.\n\nValid IPC namespace values: `\"kernel.msgmax\" | \"kernel.msgmnb\" | \"kernel.msgmni\" | \"kernel.sem\" | \"kernel.shmall\" | \"kernel.shmmax\" | \"kernel.shmmni\" | \"kernel.shm_rmid_forced\"` , and `Sysctls` that start with `\"fs.mqueue.*\"`\n\nValid network namespace values: `Sysctls` that start with `\"net.*\"` . Only namespaced `Sysctls` that exist within the container starting with \"net.* are accepted.\n\nAll of these values are supported by Fargate." }, "AWS::ECS::TaskDefinition Tag": { "Key": "One part of a key-value pair that make up a tag. A `key` is a general label that acts like a category for more specific tag values.", @@ -16501,9 +16967,9 @@ "Cidrs": "A network CIDR that can contain pods that run Kubernetes webhooks on hybrid nodes.\n\nThese CIDR blocks are determined by configuring your Container Network Interface (CNI) plugin. We recommend the Calico CNI or Cilium CNI. Note that the Amazon VPC CNI plugin for Kubernetes isn't available for on-premises and edge locations.\n\nEnter one or more IPv4 CIDR blocks in decimal dotted-quad notation (for example, `10.2.0.0/16` ).\n\nIt must satisfy the following requirements:\n\n- Each block must be within an `IPv4` RFC-1918 network range. Minimum allowed size is /24, maximum allowed size is /8. Publicly-routable addresses aren't supported.\n- Each block cannot overlap with the range of the VPC CIDR blocks for your EKS resources, or the block of the Kubernetes service IP range." }, "AWS::EKS::Cluster ResourcesVpcConfig": { - "EndpointPrivateAccess": "Set this value to `true` to enable private access for your cluster's Kubernetes API server endpoint. If you enable private access, Kubernetes API requests from within your cluster's VPC use the private VPC endpoint. The default value for this parameter is `false` , which disables private access for your Kubernetes API server. If you disable private access and you have nodes or AWS Fargate pods in the cluster, then ensure that `publicAccessCidrs` includes the necessary CIDR blocks for communication with the nodes or Fargate pods. For more information, see [Amazon EKS cluster endpoint access control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) in the **Amazon EKS User Guide** .", - "EndpointPublicAccess": "Set this value to `false` to disable public access to your cluster's Kubernetes API server endpoint. If you disable public access, your cluster's Kubernetes API server can only receive requests from within the cluster VPC. The default value for this parameter is `true` , which enables public access for your Kubernetes API server. For more information, see [Amazon EKS cluster endpoint access control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) in the **Amazon EKS User Guide** .", - "PublicAccessCidrs": "The CIDR blocks that are allowed access to your cluster's public Kubernetes API server endpoint. Communication to the endpoint from addresses outside of the CIDR blocks that you specify is denied. The default value is `0.0.0.0/0` . If you've disabled private endpoint access, make sure that you specify the necessary CIDR blocks for every node and AWS Fargate `Pod` in the cluster. For more information, see [Amazon EKS cluster endpoint access control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) in the **Amazon EKS User Guide** .", + "EndpointPrivateAccess": "Set this value to `true` to enable private access for your cluster's Kubernetes API server endpoint. If you enable private access, Kubernetes API requests from within your cluster's VPC use the private VPC endpoint. The default value for this parameter is `false` , which disables private access for your Kubernetes API server. If you disable private access and you have nodes or AWS Fargate pods in the cluster, then ensure that `publicAccessCidrs` includes the necessary CIDR blocks for communication with the nodes or Fargate pods. For more information, see [Cluster API server endpoint](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) in the **Amazon EKS User Guide** .", + "EndpointPublicAccess": "Set this value to `false` to disable public access to your cluster's Kubernetes API server endpoint. If you disable public access, your cluster's Kubernetes API server can only receive requests from within the cluster VPC. The default value for this parameter is `true` , which enables public access for your Kubernetes API server. The endpoint domain name and IP address family depends on the value of the `ipFamily` for the cluster. For more information, see [Cluster API server endpoint](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) in the **Amazon EKS User Guide** .", + "PublicAccessCidrs": "The CIDR blocks that are allowed access to your cluster's public Kubernetes API server endpoint. Communication to the endpoint from addresses outside of the CIDR blocks that you specify is denied. The default value is `0.0.0.0/0` and additionally `::/0` for dual-stack `IPv6` clusters. If you've disabled private endpoint access, make sure that you specify the necessary CIDR blocks for every node and AWS Fargate `Pod` in the cluster. For more information, see [Cluster API server endpoint](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) in the **Amazon EKS User Guide** .\n\nNote that the public endpoints are dual-stack for only `IPv6` clusters that are made after October 2024. You can't add `IPv6` CIDR blocks to `IPv4` clusters or `IPv6` clusters that were made before October 2024.", "SecurityGroupIds": "Specify one or more security groups for the cross-account elastic network interfaces that Amazon EKS creates to use that allow communication between your nodes and the Kubernetes control plane. If you don't specify any security groups, then familiarize yourself with the difference between Amazon EKS defaults for clusters deployed with Kubernetes. For more information, see [Amazon EKS security group considerations](https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html) in the **Amazon EKS User Guide** .", "SubnetIds": "Specify subnets for your Amazon EKS nodes. Amazon EKS creates cross-account elastic network interfaces in these subnets to allow communication between your nodes and the Kubernetes control plane." }, @@ -16776,7 +17242,9 @@ "Value": "The value part of the identified key." }, "AWS::EMR::Cluster ManagedScalingPolicy": { - "ComputeLimits": "The Amazon EC2 unit limits for a managed scaling policy. The managed scaling activity of a cluster is not allowed to go above or below these limits. The limit only applies to the core and task nodes. The master node cannot be scaled after initial configuration." + "ComputeLimits": "The Amazon EC2 unit limits for a managed scaling policy. The managed scaling activity of a cluster is not allowed to go above or below these limits. The limit only applies to the core and task nodes. The master node cannot be scaled after initial configuration.", + "ScalingStrategy": "Determines whether a custom scaling utilization performance index can be set. Possible values include *ADVANCED* or *DEFAULT* .", + "UtilizationPerformanceIndex": "An integer value that represents an advanced scaling strategy. Setting a higher value optimizes for performance. Setting a lower value optimizes for resource conservation. Setting the value to 50 balances performance and resource conservation. Possible values are 1, 25, 50, 75, and 100." }, "AWS::EMR::Cluster MetricDimension": { "Key": "The dimension name.", @@ -17267,7 +17735,7 @@ "CacheParameterGroupName": "The name of the parameter group to associate with this replication group. If this argument is omitted, the default cache parameter group for the specified engine is used.\n\nIf you are running Valkey or Redis OSS version 3.2.4 or later, only one node group (shard), and want to use a default parameter group, we recommend that you specify the parameter group by name.\n\n- To create a Valkey or Redis OSS (cluster mode disabled) replication group, use `CacheParameterGroupName=default.redis3.2` .\n- To create a Valkey or Redis OSS (cluster mode enabled) replication group, use `CacheParameterGroupName=default.redis3.2.cluster.on` .", "CacheSecurityGroupNames": "A list of cache security group names to associate with this replication group.", "CacheSubnetGroupName": "The name of the cache subnet group to be used for the replication group.\n\n> If you're going to launch your cluster in an Amazon VPC, you need to create a subnet group before you start creating a cluster. For more information, see [AWS::ElastiCache::SubnetGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticache-subnetgroup.html) .", - "ClusterMode": "Enabled or Disabled. To modify cluster mode from Disabled to Enabled, you must first set the cluster mode to Compatible. Compatible mode allows your Valkey or Redis OSS clients to connect using both cluster mode enabled and cluster mode disabled. After you migrate all Valkey or Redis OSS clients to use cluster mode enabled, you can then complete cluster mode configuration and set the cluster mode to Enabled. For more information, see [Modify cluster mode](https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/modify-cluster-mode.html) .", + "ClusterMode": "The mode can be enabled or disabled. To change the cluster mode from disabled to enabled, you must first set the cluster mode to compatible. The compatible mode allows your Valkey or Redis OSS clients to connect using both cluster mode enabled and cluster mode disabled. After you migrate all Valkey or Redis OSS clients to use cluster mode enabled, you can then complete cluster mode configuration and set the cluster mode to enabled. For more information, see [Modify cluster mode](https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/modify-cluster-mode.html) .", "DataTieringEnabled": "Enables data tiering. Data tiering is only supported for replication groups using the r6gd node type. This parameter must be set to true when using r6gd nodes. For more information, see [Data tiering](https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/data-tiering.html) .", "Engine": "The name of the cache engine to be used for the clusters in this replication group. The value must be set to `valkey` or `redis` .\n\n> Upgrading an existing engine from redis to valkey is done through in-place migration, and requires a parameter group.", "EngineVersion": "The version number of the cache engine to be used for the clusters in this replication group. To view the supported cache engine versions, use the `DescribeCacheEngineVersions` operation.\n\n*Important:* You can upgrade to a newer engine version (see [Selecting a Cache Engine and Version](https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/SelectEngine.html#VersionManagement) ) in the *ElastiCache User Guide* , but you cannot downgrade to an earlier engine version. If you want to use an earlier engine version, you must delete the existing cluster or replication group and create it anew with the earlier engine version.", @@ -17565,12 +18033,12 @@ "AlpnPolicy": "[TLS listener] The name of the Application-Layer Protocol Negotiation (ALPN) policy.", "Certificates": "The default SSL server certificate for a secure listener. You must provide exactly one certificate if the listener protocol is HTTPS or TLS.\n\nTo create a certificate list for a secure listener, use [AWS::ElasticLoadBalancingV2::ListenerCertificate](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticloadbalancingv2-listenercertificate.html) .", "DefaultActions": "The actions for the default rule. You cannot define a condition for a default rule.\n\nTo create additional rules for an Application Load Balancer, use [AWS::ElasticLoadBalancingV2::ListenerRule](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticloadbalancingv2-listenerrule.html) .", - "ListenerAttributes": "The listener attributes.", + "ListenerAttributes": "The listener attributes. Attributes that you do not modify retain their current values.", "LoadBalancerArn": "The Amazon Resource Name (ARN) of the load balancer.", "MutualAuthentication": "The mutual authentication configuration information.", "Port": "The port on which the load balancer is listening. You can't specify a port for a Gateway Load Balancer.", "Protocol": "The protocol for connections from clients to the load balancer. For Application Load Balancers, the supported protocols are HTTP and HTTPS. For Network Load Balancers, the supported protocols are TCP, TLS, UDP, and TCP_UDP. You can\u2019t specify the UDP or TCP_UDP protocol if dual-stack mode is enabled. You can't specify a protocol for a Gateway Load Balancer.", - "SslPolicy": "[HTTPS and TLS listeners] The security policy that defines which protocols and ciphers are supported.\n\nUpdating the security policy can result in interruptions if the load balancer is handling a high volume of traffic.\n\nFor more information, see [Security policies](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html#describe-ssl-policies) in the *Application Load Balancers Guide* and [Security policies](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-tls-listener.html#describe-ssl-policies) in the *Network Load Balancers Guide* ." + "SslPolicy": "[HTTPS and TLS listeners] The security policy that defines which protocols and ciphers are supported. For more information, see [Security policies](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/describe-ssl-policies.html) in the *Application Load Balancers Guide* and [Security policies](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) in the *Network Load Balancers Guide* .\n\n[HTTPS listeners] Updating the security policy can result in interruptions if the load balancer is handling a high volume of traffic. To decrease the possibility of an interruption if your load balancer is handling a high volume of traffic, create an additional load balancer or request an LCU reservation." }, "AWS::ElasticLoadBalancingV2::Listener Action": { "AuthenticateCognitoConfig": "[HTTPS listeners] Information for using Amazon Cognito to authenticate users. Specify only when `Type` is `authenticate-cognito` .", @@ -17637,7 +18105,7 @@ "StatusCode": "The HTTP redirect code. The redirect is either permanent (HTTP 301) or temporary (HTTP 302)." }, "AWS::ElasticLoadBalancingV2::Listener TargetGroupStickinessConfig": { - "DurationSeconds": "The time period, in seconds, during which requests from a client should be routed to the same target group. The range is 1-604800 seconds (7 days).", + "DurationSeconds": "The time period, in seconds, during which requests from a client should be routed to the same target group. The range is 1-604800 seconds (7 days). You must specify this value when enabling target group stickiness.", "Enabled": "Indicates whether target group stickiness is enabled." }, "AWS::ElasticLoadBalancingV2::Listener TargetGroupTuple": { @@ -17701,7 +18169,7 @@ "TargetGroups": "Information about how traffic will be distributed between multiple target groups in a forward rule." }, "AWS::ElasticLoadBalancingV2::ListenerRule HostHeaderConfig": { - "Values": "The host names. The maximum size of each name is 128 characters. The comparison is case insensitive. The following wildcard characters are supported: * (matches 0 or more characters) and ? (matches exactly 1 character).\n\nIf you specify multiple strings, the condition is satisfied if one of the strings matches the host name." + "Values": "The host names. The maximum size of each name is 128 characters. The comparison is case insensitive. The following wildcard characters are supported: * (matches 0 or more characters) and ? (matches exactly 1 character). You must include at least one \".\" character. You can include only alphabetical characters after the final \".\" character.\n\nIf you specify multiple strings, the condition is satisfied if one of the strings matches the host name." }, "AWS::ElasticLoadBalancingV2::ListenerRule HttpHeaderConfig": { "HttpHeaderName": "The name of the HTTP header field. The maximum size is 40 characters. The header name is case insensitive. The allowed characters are specified by RFC 7230. Wildcards are not supported.", @@ -17742,7 +18210,7 @@ "Values": "The source IP addresses, in CIDR format. You can use both IPv4 and IPv6 addresses. Wildcards are not supported.\n\nIf you specify multiple addresses, the condition is satisfied if the source IP address of the request matches one of the CIDR blocks. This condition is not satisfied by the addresses in the X-Forwarded-For header." }, "AWS::ElasticLoadBalancingV2::ListenerRule TargetGroupStickinessConfig": { - "DurationSeconds": "The time period, in seconds, during which requests from a client should be routed to the same target group. The range is 1-604800 seconds (7 days).", + "DurationSeconds": "The time period, in seconds, during which requests from a client should be routed to the same target group. The range is 1-604800 seconds (7 days). You must specify this value when enabling target group stickiness.", "Enabled": "Indicates whether target group stickiness is enabled." }, "AWS::ElasticLoadBalancingV2::ListenerRule TargetGroupTuple": { @@ -17751,10 +18219,10 @@ }, "AWS::ElasticLoadBalancingV2::LoadBalancer": { "EnablePrefixForIpv6SourceNat": "[Network Load Balancers with UDP listeners] Indicates whether to use an IPv6 prefix from each subnet for source NAT. The IP address type must be `dualstack` . The default value is `off` .", - "EnforceSecurityGroupInboundRulesOnPrivateLinkTraffic": "Indicates whether to evaluate inbound security group rules for traffic sent to a Network Load Balancer through AWS PrivateLink . The default is `on` .", + "EnforceSecurityGroupInboundRulesOnPrivateLinkTraffic": "Indicates whether to evaluate inbound security group rules for traffic sent to a Network Load Balancer through AWS PrivateLink . The default is `on` .\n\nYou can't configure this property on a Network Load Balancer unless you associated a security group with the load balancer when you created it.", "IpAddressType": "The IP address type. Internal load balancers must use `ipv4` .\n\n[Application Load Balancers] The possible values are `ipv4` (IPv4 addresses), `dualstack` (IPv4 and IPv6 addresses), and `dualstack-without-public-ipv4` (public IPv6 addresses and private IPv4 and IPv6 addresses).\n\nApplication Load Balancer authentication supports IPv4 addresses only when connecting to an Identity Provider (IdP) or Amazon Cognito endpoint. Without a public IPv4 address the load balancer can't complete the authentication process, resulting in HTTP 500 errors.\n\n[Network Load Balancers and Gateway Load Balancers] The possible values are `ipv4` (IPv4 addresses) and `dualstack` (IPv4 and IPv6 addresses).", - "Ipv4IpamPoolId": "", - "LoadBalancerAttributes": "The load balancer attributes.", + "Ipv4IpamPoolId": "The ID of the IPv4 IPAM pool.", + "LoadBalancerAttributes": "The load balancer attributes. Attributes that you do not modify retain their current values.", "MinimumLoadBalancerCapacity": "The minimum capacity for a load balancer.", "Name": "The name of the load balancer. This name must be unique per region per account, can have a maximum of 32 characters, must contain only alphanumeric characters or hyphens, must not begin or end with a hyphen, and must not begin with \"internal-\".\n\nIf you don't specify a name, AWS CloudFormation generates a unique physical ID for the load balancer. If you specify a name, you cannot perform updates that require replacement of this resource, but you can perform other updates. To replace the resource, specify a new name.", "Scheme": "The nodes of an Internet-facing load balancer have public IP addresses. The DNS name of an Internet-facing load balancer is publicly resolvable to the public IP addresses of the nodes. Therefore, Internet-facing load balancers can route requests from clients over the internet.\n\nThe nodes of an internal load balancer have only private IP addresses. The DNS name of an internal load balancer is publicly resolvable to the private IP addresses of the nodes. Therefore, internal load balancers can route requests only from clients with access to the VPC for the load balancer.\n\nThe default is an Internet-facing load balancer.\n\nYou can't specify a scheme for a Gateway Load Balancer.", @@ -17797,7 +18265,7 @@ "Protocol": "The protocol to use for routing traffic to the targets. For Application Load Balancers, the supported protocols are HTTP and HTTPS. For Network Load Balancers, the supported protocols are TCP, TLS, UDP, or TCP_UDP. For Gateway Load Balancers, the supported protocol is GENEVE. A TCP_UDP listener must be associated with a TCP_UDP target group. If the target is a Lambda function, this parameter does not apply.", "ProtocolVersion": "[HTTP/HTTPS protocol] The protocol version. The possible values are `GRPC` , `HTTP1` , and `HTTP2` .", "Tags": "The tags.", - "TargetGroupAttributes": "The target group attributes.", + "TargetGroupAttributes": "The target group attributes. Attributes that you do not modify retain their current values.", "TargetType": "The type of target that you must specify when registering targets with this target group. You can't specify targets for a target group using more than one target type.\n\n- `instance` - Register targets by instance ID. This is the default value.\n- `ip` - Register targets by IP address. You can specify IP addresses from the subnets of the virtual private cloud (VPC) for the target group, the RFC 1918 range (10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16), and the RFC 6598 range (100.64.0.0/10). You can't specify publicly routable IP addresses.\n- `lambda` - Register a single Lambda function as a target.\n- `alb` - Register a single Application Load Balancer as a target.", "Targets": "The targets.", "UnhealthyThresholdCount": "The number of consecutive health check failures required before considering a target unhealthy. The range is 2-10. If the target group protocol is TCP, TCP_UDP, UDP, TLS, HTTP or HTTPS, the default is 2. For target groups with a protocol of GENEVE, the default is 2. If the target type is `lambda` , the default is 5.", @@ -17817,7 +18285,7 @@ "Port": "The port on which the target is listening. If the target group protocol is GENEVE, the supported port is 6081. If the target type is `alb` , the targeted Application Load Balancer must have at least one listener whose port matches the target group port. This parameter is not used if the target is a Lambda function." }, "AWS::ElasticLoadBalancingV2::TargetGroup TargetGroupAttribute": { - "Key": "The name of the attribute.\n\nThe following attributes are supported by all load balancers:\n\n- `deregistration_delay.timeout_seconds` - The amount of time, in seconds, for Elastic Load Balancing to wait before changing the state of a deregistering target from `draining` to `unused` . The range is 0-3600 seconds. The default value is 300 seconds. If the target is a Lambda function, this attribute is not supported.\n- `stickiness.enabled` - Indicates whether target stickiness is enabled. The value is `true` or `false` . The default is `false` .\n- `stickiness.type` - Indicates the type of stickiness. The possible values are:\n\n- `lb_cookie` and `app_cookie` for Application Load Balancers.\n- `source_ip` for Network Load Balancers.\n- `source_ip_dest_ip` and `source_ip_dest_ip_proto` for Gateway Load Balancers.\n\nThe following attributes are supported by Application Load Balancers and Network Load Balancers:\n\n- `load_balancing.cross_zone.enabled` - Indicates whether cross zone load balancing is enabled. The value is `true` , `false` or `use_load_balancer_configuration` . The default is `use_load_balancer_configuration` .\n- `target_group_health.dns_failover.minimum_healthy_targets.count` - The minimum number of targets that must be healthy. If the number of healthy targets is below this value, mark the zone as unhealthy in DNS, so that traffic is routed only to healthy zones. The possible values are `off` or an integer from 1 to the maximum number of targets. The default is `off` .\n- `target_group_health.dns_failover.minimum_healthy_targets.percentage` - The minimum percentage of targets that must be healthy. If the percentage of healthy targets is below this value, mark the zone as unhealthy in DNS, so that traffic is routed only to healthy zones. The possible values are `off` or an integer from 1 to 100. The default is `off` .\n- `target_group_health.unhealthy_state_routing.minimum_healthy_targets.count` - The minimum number of targets that must be healthy. If the number of healthy targets is below this value, send traffic to all targets, including unhealthy targets. The possible values are 1 to the maximum number of targets. The default is 1.\n- `target_group_health.unhealthy_state_routing.minimum_healthy_targets.percentage` - The minimum percentage of targets that must be healthy. If the percentage of healthy targets is below this value, send traffic to all targets, including unhealthy targets. The possible values are `off` or an integer from 1 to 100. The default is `off` .\n\nThe following attributes are supported only if the load balancer is an Application Load Balancer and the target is an instance or an IP address:\n\n- `load_balancing.algorithm.type` - The load balancing algorithm determines how the load balancer selects targets when routing requests. The value is `round_robin` , `least_outstanding_requests` , or `weighted_random` . The default is `round_robin` .\n- `load_balancing.algorithm.anomaly_mitigation` - Only available when `load_balancing.algorithm.type` is `weighted_random` . Indicates whether anomaly mitigation is enabled. The value is `on` or `off` . The default is `off` .\n- `slow_start.duration_seconds` - The time period, in seconds, during which a newly registered target receives an increasing share of the traffic to the target group. After this time period ends, the target receives its full share of traffic. The range is 30-900 seconds (15 minutes). The default is 0 seconds (disabled).\n- `stickiness.app_cookie.cookie_name` - Indicates the name of the application-based cookie. Names that start with the following prefixes are not allowed: `AWSALB` , `AWSALBAPP` , and `AWSALBTG` ; they're reserved for use by the load balancer.\n- `stickiness.app_cookie.duration_seconds` - The time period, in seconds, during which requests from a client should be routed to the same target. After this time period expires, the application-based cookie is considered stale. The range is 1 second to 1 week (604800 seconds). The default value is 1 day (86400 seconds).\n- `stickiness.lb_cookie.duration_seconds` - The time period, in seconds, during which requests from a client should be routed to the same target. After this time period expires, the load balancer-generated cookie is considered stale. The range is 1 second to 1 week (604800 seconds). The default value is 1 day (86400 seconds).\n\nThe following attribute is supported only if the load balancer is an Application Load Balancer and the target is a Lambda function:\n\n- `lambda.multi_value_headers.enabled` - Indicates whether the request and response headers that are exchanged between the load balancer and the Lambda function include arrays of values or strings. The value is `true` or `false` . The default is `false` . If the value is `false` and the request contains a duplicate header field name or query parameter key, the load balancer uses the last value sent by the client.\n\nThe following attributes are supported only by Network Load Balancers:\n\n- `deregistration_delay.connection_termination.enabled` - Indicates whether the load balancer terminates connections at the end of the deregistration timeout. The value is `true` or `false` . For new UDP/TCP_UDP target groups the default is `true` . Otherwise, the default is `false` .\n- `preserve_client_ip.enabled` - Indicates whether client IP preservation is enabled. The value is `true` or `false` . The default is disabled if the target group type is IP address and the target group protocol is TCP or TLS. Otherwise, the default is enabled. Client IP preservation can't be disabled for UDP and TCP_UDP target groups.\n- `proxy_protocol_v2.enabled` - Indicates whether Proxy Protocol version 2 is enabled. The value is `true` or `false` . The default is `false` .\n- `target_health_state.unhealthy.connection_termination.enabled` - Indicates whether the load balancer terminates connections to unhealthy targets. The value is `true` or `false` . The default is `true` . This attribute can't be enabled for UDP and TCP_UDP target groups.\n- `target_health_state.unhealthy.draining_interval_seconds` - The amount of time for Elastic Load Balancing to wait before changing the state of an unhealthy target from `unhealthy.draining` to `unhealthy` . The range is 0-360000 seconds. The default value is 0 seconds.\n\nNote: This attribute can only be configured when `target_health_state.unhealthy.connection_termination.enabled` is `false` .\n\nThe following attributes are supported only by Gateway Load Balancers:\n\n- `target_failover.on_deregistration` - Indicates how the Gateway Load Balancer handles existing flows when a target is deregistered. The possible values are `rebalance` and `no_rebalance` . The default is `no_rebalance` . The two attributes ( `target_failover.on_deregistration` and `target_failover.on_unhealthy` ) can't be set independently. The value you set for both attributes must be the same.\n- `target_failover.on_unhealthy` - Indicates how the Gateway Load Balancer handles existing flows when a target is unhealthy. The possible values are `rebalance` and `no_rebalance` . The default is `no_rebalance` . The two attributes ( `target_failover.on_deregistration` and `target_failover.on_unhealthy` ) can't be set independently. The value you set for both attributes must be the same.", + "Key": "The name of the attribute.\n\nThe following attributes are supported by all load balancers:\n\n- `deregistration_delay.timeout_seconds` - The amount of time, in seconds, for Elastic Load Balancing to wait before changing the state of a deregistering target from `draining` to `unused` . The range is 0-3600 seconds. The default value is 300 seconds. If the target is a Lambda function, this attribute is not supported.\n- `stickiness.enabled` - Indicates whether target stickiness is enabled. The value is `true` or `false` . The default is `false` .\n- `stickiness.type` - Indicates the type of stickiness. The possible values are:\n\n- `lb_cookie` and `app_cookie` for Application Load Balancers.\n- `source_ip` for Network Load Balancers.\n- `source_ip_dest_ip` and `source_ip_dest_ip_proto` for Gateway Load Balancers.\n\nThe following attributes are supported by Application Load Balancers and Network Load Balancers:\n\n- `load_balancing.cross_zone.enabled` - Indicates whether cross zone load balancing is enabled. The value is `true` , `false` or `use_load_balancer_configuration` . The default is `use_load_balancer_configuration` .\n- `target_group_health.dns_failover.minimum_healthy_targets.count` - The minimum number of targets that must be healthy. If the number of healthy targets is below this value, mark the zone as unhealthy in DNS, so that traffic is routed only to healthy zones. The possible values are `off` or an integer from 1 to the maximum number of targets. The default is 1.\n- `target_group_health.dns_failover.minimum_healthy_targets.percentage` - The minimum percentage of targets that must be healthy. If the percentage of healthy targets is below this value, mark the zone as unhealthy in DNS, so that traffic is routed only to healthy zones. The possible values are `off` or an integer from 1 to 100. The default is `off` .\n- `target_group_health.unhealthy_state_routing.minimum_healthy_targets.count` - The minimum number of targets that must be healthy. If the number of healthy targets is below this value, send traffic to all targets, including unhealthy targets. The possible values are 1 to the maximum number of targets. The default is 1.\n- `target_group_health.unhealthy_state_routing.minimum_healthy_targets.percentage` - The minimum percentage of targets that must be healthy. If the percentage of healthy targets is below this value, send traffic to all targets, including unhealthy targets. The possible values are `off` or an integer from 1 to 100. The default is `off` .\n\nThe following attributes are supported only if the load balancer is an Application Load Balancer and the target is an instance or an IP address:\n\n- `load_balancing.algorithm.type` - The load balancing algorithm determines how the load balancer selects targets when routing requests. The value is `round_robin` , `least_outstanding_requests` , or `weighted_random` . The default is `round_robin` .\n- `load_balancing.algorithm.anomaly_mitigation` - Only available when `load_balancing.algorithm.type` is `weighted_random` . Indicates whether anomaly mitigation is enabled. The value is `on` or `off` . The default is `off` .\n- `slow_start.duration_seconds` - The time period, in seconds, during which a newly registered target receives an increasing share of the traffic to the target group. After this time period ends, the target receives its full share of traffic. The range is 30-900 seconds (15 minutes). The default is 0 seconds (disabled).\n- `stickiness.app_cookie.cookie_name` - Indicates the name of the application-based cookie. Names that start with the following prefixes are not allowed: `AWSALB` , `AWSALBAPP` , and `AWSALBTG` ; they're reserved for use by the load balancer.\n- `stickiness.app_cookie.duration_seconds` - The time period, in seconds, during which requests from a client should be routed to the same target. After this time period expires, the application-based cookie is considered stale. The range is 1 second to 1 week (604800 seconds). The default value is 1 day (86400 seconds).\n- `stickiness.lb_cookie.duration_seconds` - The time period, in seconds, during which requests from a client should be routed to the same target. After this time period expires, the load balancer-generated cookie is considered stale. The range is 1 second to 1 week (604800 seconds). The default value is 1 day (86400 seconds).\n\nThe following attribute is supported only if the load balancer is an Application Load Balancer and the target is a Lambda function:\n\n- `lambda.multi_value_headers.enabled` - Indicates whether the request and response headers that are exchanged between the load balancer and the Lambda function include arrays of values or strings. The value is `true` or `false` . The default is `false` . If the value is `false` and the request contains a duplicate header field name or query parameter key, the load balancer uses the last value sent by the client.\n\nThe following attributes are supported only by Network Load Balancers:\n\n- `deregistration_delay.connection_termination.enabled` - Indicates whether the load balancer terminates connections at the end of the deregistration timeout. The value is `true` or `false` . For new UDP/TCP_UDP target groups the default is `true` . Otherwise, the default is `false` .\n- `preserve_client_ip.enabled` - Indicates whether client IP preservation is enabled. The value is `true` or `false` . The default is disabled if the target group type is IP address and the target group protocol is TCP or TLS. Otherwise, the default is enabled. Client IP preservation can't be disabled for UDP and TCP_UDP target groups.\n- `proxy_protocol_v2.enabled` - Indicates whether Proxy Protocol version 2 is enabled. The value is `true` or `false` . The default is `false` .\n- `target_health_state.unhealthy.connection_termination.enabled` - Indicates whether the load balancer terminates connections to unhealthy targets. The value is `true` or `false` . The default is `true` . This attribute can't be enabled for UDP and TCP_UDP target groups.\n- `target_health_state.unhealthy.draining_interval_seconds` - The amount of time for Elastic Load Balancing to wait before changing the state of an unhealthy target from `unhealthy.draining` to `unhealthy` . The range is 0-360000 seconds. The default value is 0 seconds.\n\nNote: This attribute can only be configured when `target_health_state.unhealthy.connection_termination.enabled` is `false` .\n\nThe following attributes are supported only by Gateway Load Balancers:\n\n- `target_failover.on_deregistration` - Indicates how the Gateway Load Balancer handles existing flows when a target is deregistered. The possible values are `rebalance` and `no_rebalance` . The default is `no_rebalance` . The two attributes ( `target_failover.on_deregistration` and `target_failover.on_unhealthy` ) can't be set independently. The value you set for both attributes must be the same.\n- `target_failover.on_unhealthy` - Indicates how the Gateway Load Balancer handles existing flows when a target is unhealthy. The possible values are `rebalance` and `no_rebalance` . The default is `no_rebalance` . The two attributes ( `target_failover.on_deregistration` and `target_failover.on_unhealthy` ) can't be set independently. The value you set for both attributes must be the same.", "Value": "The value of the attribute." }, "AWS::ElasticLoadBalancingV2::TrustStore": { @@ -18090,7 +18558,7 @@ "Hashed": "Indicates if the column values are hashed in the schema input.\n\nIf the value is set to `TRUE` , the column values are hashed.\n\nIf the value is set to `FALSE` , the column values are cleartext.", "MatchKey": "A key that allows grouping of multiple input attributes into a unified matching group.\n\nFor example, consider a scenario where the source table contains various addresses, such as `business_address` and `shipping_address` . By assigning a `matchKey` called `address` to both attributes, AWS Entity Resolution will match records across these fields to create a consolidated matching group.\n\nIf no `matchKey` is specified for a column, it won't be utilized for matching purposes but will still be included in the output table.", "SubType": "The subtype of the attribute, selected from a list of values.", - "Type": "The type of the attribute, selected from a list of values.\n\n> Normalization is only supported for `NAME` , `ADDRESS` , `PHONE` , and `EMAIL_ADDRESS` .\n> \n> If you want to normalize `NAME_FIRST` , `NAME_MIDDLE` , and `NAME_LAST` , you must group them by assigning them to the `NAME` `groupName` .\n> \n> If you want to normalize `ADDRESS_STREET1` , `ADDRESS_STREET2` , `ADDRESS_STREET3` , `ADDRESS_CITY` , `ADDRESS_STATE` , `ADDRESS_COUNTRY` , and `ADDRESS_POSTALCODE` , you must group them by assigning them to the `ADDRESS` `groupName` .\n> \n> If you want to normalize `PHONE_NUMBER` and `PHONE_COUNTRYCODE` , you must group them by assigning them to the `PHONE` `groupName` ." + "Type": "The type of the attribute, selected from a list of values.\n\nLiveRamp supports: `NAME` | `NAME_FIRST` | `NAME_MIDDLE` | `NAME_LAST` | `ADDRESS` | `ADDRESS_STREET1` | `ADDRESS_STREET2` | `ADDRESS_STREET3` | `ADDRESS_CITY` | `ADDRESS_STATE` | `ADDRESS_COUNTRY` | `ADDRESS_POSTALCODE` | `PHONE` | `PHONE_NUMBER` | `EMAIL_ADDRESS` | `UNIQUE_ID` | `PROVIDER_ID`\n\nTransUnion supports: `NAME` | `NAME_FIRST` | `NAME_LAST` | `ADDRESS` | `ADDRESS_CITY` | `ADDRESS_STATE` | `ADDRESS_COUNTRY` | `ADDRESS_POSTALCODE` | `PHONE_NUMBER` | `EMAIL_ADDRESS` | `UNIQUE_ID` | `IPV4` | `IPV6` | `MAID`\n\nUnified ID 2.0 supports: `PHONE_NUMBER` | `EMAIL_ADDRESS` | `UNIQUE_ID`\n\n> Normalization is only supported for `NAME` , `ADDRESS` , `PHONE` , and `EMAIL_ADDRESS` .\n> \n> If you want to normalize `NAME_FIRST` , `NAME_MIDDLE` , and `NAME_LAST` , you must group them by assigning them to the `NAME` `groupName` .\n> \n> If you want to normalize `ADDRESS_STREET1` , `ADDRESS_STREET2` , `ADDRESS_STREET3` , `ADDRESS_CITY` , `ADDRESS_STATE` , `ADDRESS_COUNTRY` , and `ADDRESS_POSTALCODE` , you must group them by assigning them to the `ADDRESS` `groupName` .\n> \n> If you want to normalize `PHONE_NUMBER` and `PHONE_COUNTRYCODE` , you must group them by assigning them to the `PHONE` `groupName` ." }, "AWS::EntityResolution::SchemaMapping Tag": { "Key": "The key of the tag.", @@ -18732,7 +19200,7 @@ "OpenZFSConfiguration": "The Amazon FSx for OpenZFS configuration properties for the file system that you are creating.", "SecurityGroupIds": "A list of IDs specifying the security groups to apply to all network interfaces created for file system access. This list isn't returned in later requests to describe the file system.\n\n> You must specify a security group if you are creating a Multi-AZ FSx for ONTAP file system in a VPC subnet that has been shared with you.", "StorageCapacity": "Sets the storage capacity of the file system that you're creating.\n\n`StorageCapacity` is required if you are creating a new file system. It is not required if you are creating a file system by restoring a backup.\n\n*FSx for Lustre file systems* - The amount of storage capacity that you can configure depends on the value that you set for `StorageType` and the Lustre `DeploymentType` , as follows:\n\n- For `SCRATCH_2` , `PERSISTENT_2` and `PERSISTENT_1` deployment types using SSD storage type, the valid values are 1200 GiB, 2400 GiB, and increments of 2400 GiB.\n- For `PERSISTENT_1` HDD file systems, valid values are increments of 6000 GiB for 12 MB/s/TiB file systems and increments of 1800 GiB for 40 MB/s/TiB file systems.\n- For `SCRATCH_1` deployment type, valid values are 1200 GiB, 2400 GiB, and increments of 3600 GiB.\n\n*FSx for ONTAP file systems* - The amount of SSD storage capacity that you can configure depends on the value of the `HAPairs` property. The minimum value is calculated as 1,024 GiB * HAPairs and the maximum is calculated as 524,288 GiB * HAPairs, up to a maximum amount of SSD storage capacity of 1,048,576 GiB (1 pebibyte).\n\n*FSx for OpenZFS file systems* - The amount of storage capacity that you can configure is from 64 GiB up to 524,288 GiB (512 TiB). If you are creating a file system from a backup, you can specify a storage capacity equal to or greater than the original file system's storage capacity.\n\n*FSx for Windows File Server file systems* - The amount of storage capacity that you can configure depends on the value that you set for `StorageType` as follows:\n\n- For SSD storage, valid values are 32 GiB-65,536 GiB (64 TiB).\n- For HDD storage, valid values are 2000 GiB-65,536 GiB (64 TiB).", - "StorageType": "Sets the storage class for the file system that you're creating. Valid values are `SSD` , `HDD` , and `INTELLIGENT_TIERING` .\n\n- Set to `SSD` to use solid state drive storage. SSD is supported on all Windows, Lustre, ONTAP, and OpenZFS deployment types.\n- Set to `HDD` to use hard disk drive storage, which is supported on `SINGLE_AZ_2` and `MULTI_AZ_1` Windows file system deployment types, and on `PERSISTENT_1` Lustre file system deployment types.\n- Set to `INTELLIGENT_TIERING` to use fully elastic, intelligently-tiered storage. Intelligent-Tiering is only available for OpenZFS file systems with the Multi-AZ deployment type.\n\nDefault value is `SSD` . For more information, see [Storage type options](https://docs.aws.amazon.com/fsx/latest/WindowsGuide/optimize-fsx-costs.html#storage-type-options) in the *FSx for Windows File Server User Guide* , [Multiple storage options](https://docs.aws.amazon.com/fsx/latest/LustreGuide/what-is.html#storage-options) in the *FSx for Lustre User Guide* , and [Working with Intelligent-Tiering](https://docs.aws.amazon.com/fsx/latest/OpenZFSGuide/performance-intelligent-tiering) in the *Amazon FSx for OpenZFS User Guide* .", + "StorageType": "Sets the storage class for the file system that you're creating. Valid values are `SSD` , `HDD` , and `INTELLIGENT_TIERING` .\n\n- Set to `SSD` to use solid state drive storage. SSD is supported on all Windows, Lustre, ONTAP, and OpenZFS deployment types.\n- Set to `HDD` to use hard disk drive storage, which is supported on `SINGLE_AZ_2` and `MULTI_AZ_1` Windows file system deployment types, and on `PERSISTENT_1` Lustre file system deployment types.\n- Set to `INTELLIGENT_TIERING` to use fully elastic, intelligently-tiered storage. Intelligent-Tiering is only available for OpenZFS file systems with the Multi-AZ deployment type and for Lustre file systems with the Persistent_2 deployment type.\n\nDefault value is `SSD` . For more information, see [Storage type options](https://docs.aws.amazon.com/fsx/latest/WindowsGuide/optimize-fsx-costs.html#storage-type-options) in the *FSx for Windows File Server User Guide* , [FSx for Lustre storage classes](https://docs.aws.amazon.com/fsx/latest/LustreGuide/using-fsx-lustre.html#lustre-storage-classes) in the *FSx for Lustre User Guide* , and [Working with Intelligent-Tiering](https://docs.aws.amazon.com/fsx/latest/OpenZFSGuide/performance-intelligent-tiering) in the *Amazon FSx for OpenZFS User Guide* .", "SubnetIds": "Specifies the IDs of the subnets that the file system will be accessible from. For Windows and ONTAP `MULTI_AZ_1` deployment types,provide exactly two subnet IDs, one for the preferred file server and one for the standby file server. You specify one of these subnets as the preferred subnet using the `WindowsConfiguration > PreferredSubnetID` or `OntapConfiguration > PreferredSubnetID` properties. For more information about Multi-AZ file system configuration, see [Availability and durability: Single-AZ and Multi-AZ file systems](https://docs.aws.amazon.com/fsx/latest/WindowsGuide/high-availability-multiAZ.html) in the *Amazon FSx for Windows User Guide* and [Availability and durability](https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/high-availability-multiAZ.html) in the *Amazon FSx for ONTAP User Guide* .\n\nFor Windows `SINGLE_AZ_1` and `SINGLE_AZ_2` and all Lustre deployment types, provide exactly one subnet ID. The file server is launched in that subnet's Availability Zone.", "Tags": "The tags to associate with the file system. For more information, see [Tagging your Amazon FSx resources](https://docs.aws.amazon.com/fsx/latest/LustreGuide/tag-resources.html) in the *Amazon FSx for Lustre User Guide* .", "WindowsConfiguration": "The configuration object for the Microsoft Windows file system you are creating.\n\nThis value is required if `FileSystemType` is set to `WINDOWS` ." @@ -18746,6 +19214,10 @@ "Clients": "A value that specifies who can mount the file system. You can provide a wildcard character ( `*` ), an IP address ( `0.0.0.0` ), or a CIDR address ( `192.0.2.0/24` ). By default, Amazon FSx uses the wildcard character when specifying the client.", "Options": "The options to use when mounting the file system. For a list of options that you can use with Network File System (NFS), see the [exports(5) - Linux man page](https://docs.aws.amazon.com/https://linux.die.net/man/5/exports) . When choosing your options, consider the following:\n\n- `crossmnt` is used by default. If you don't specify `crossmnt` when changing the client configuration, you won't be able to see or access snapshots in your file system's snapshot directory.\n- `sync` is used by default. If you instead specify `async` , the system acknowledges writes before writing to disk. If the system crashes before the writes are finished, you lose the unwritten data." }, + "AWS::FSx::FileSystem DataReadCacheConfiguration": { + "SizeGiB": "", + "SizingMode": "" + }, "AWS::FSx::FileSystem DiskIopsConfiguration": { "Iops": "The total number of SSD IOPS provisioned for the file system.\n\nThe minimum and maximum values for this property depend on the value of `HAPairs` and `StorageCapacity` . The minimum value is calculated as `StorageCapacity` * 3 * `HAPairs` (3 IOPS per GB of `StorageCapacity` ). The maximum value is calculated as 200,000 * `HAPairs` .\n\nAmazon FSx responds with an HTTP status code 400 (Bad Request) if the value of `Iops` is outside of the minimum or maximum values.", "Mode": "Specifies whether the file system is using the `AUTOMATIC` setting of SSD IOPS of 3 IOPS per GB of storage capacity, or if it using a `USER_PROVISIONED` value." @@ -18756,7 +19228,8 @@ "CopyTagsToBackups": "(Optional) Not available for use with file systems that are linked to a data repository. A boolean flag indicating whether tags for the file system should be copied to backups. The default value is false. If `CopyTagsToBackups` is set to true, all file system tags are copied to all automatic and user-initiated backups when the user doesn't specify any backup-specific tags. If `CopyTagsToBackups` is set to true and you specify one or more backup tags, only the specified tags are copied to backups. If you specify one or more tags when creating a user-initiated backup, no tags are copied from the file system, regardless of this value.\n\n(Default = `false` )\n\nFor more information, see [Working with backups](https://docs.aws.amazon.com/fsx/latest/LustreGuide/using-backups-fsx.html) in the *Amazon FSx for Lustre User Guide* .", "DailyAutomaticBackupStartTime": "A recurring daily time, in the format `HH:MM` . `HH` is the zero-padded hour of the day (0-23), and `MM` is the zero-padded minute of the hour. For example, `05:00` specifies 5 AM daily.", "DataCompressionType": "Sets the data compression configuration for the file system. `DataCompressionType` can have the following values:\n\n- `NONE` - (Default) Data compression is turned off when the file system is created.\n- `LZ4` - Data compression is turned on with the LZ4 algorithm.\n\nFor more information, see [Lustre data compression](https://docs.aws.amazon.com/fsx/latest/LustreGuide/data-compression.html) in the *Amazon FSx for Lustre User Guide* .", - "DeploymentType": "(Optional) Choose `SCRATCH_1` and `SCRATCH_2` deployment types when you need temporary storage and shorter-term processing of data. The `SCRATCH_2` deployment type provides in-transit encryption of data and higher burst throughput capacity than `SCRATCH_1` .\n\nChoose `PERSISTENT_1` for longer-term storage and for throughput-focused workloads that aren\u2019t latency-sensitive. `PERSISTENT_1` supports encryption of data in transit, and is available in all AWS Regions in which FSx for Lustre is available.\n\nChoose `PERSISTENT_2` for longer-term storage and for latency-sensitive workloads that require the highest levels of IOPS/throughput. `PERSISTENT_2` supports SSD storage, and offers higher `PerUnitStorageThroughput` (up to 1000 MB/s/TiB). You can optionally specify a metadata configuration mode for `PERSISTENT_2` which supports increasing metadata performance. `PERSISTENT_2` is available in a limited number of AWS Regions . For more information, and an up-to-date list of AWS Regions in which `PERSISTENT_2` is available, see [File system deployment options for FSx for Lustre](https://docs.aws.amazon.com/fsx/latest/LustreGuide/using-fsx-lustre.html#lustre-deployment-types) in the *Amazon FSx for Lustre User Guide* .\n\n> If you choose `PERSISTENT_2` , and you set `FileSystemTypeVersion` to `2.10` , the `CreateFileSystem` operation fails. \n\nEncryption of data in transit is automatically turned on when you access `SCRATCH_2` , `PERSISTENT_1` , and `PERSISTENT_2` file systems from Amazon EC2 instances that support automatic encryption in the AWS Regions where they are available. For more information about encryption in transit for FSx for Lustre file systems, see [Encrypting data in transit](https://docs.aws.amazon.com/fsx/latest/LustreGuide/encryption-in-transit-fsxl.html) in the *Amazon FSx for Lustre User Guide* .\n\n(Default = `SCRATCH_1` )", + "DataReadCacheConfiguration": "", + "DeploymentType": "(Optional) Choose `SCRATCH_1` and `SCRATCH_2` deployment types when you need temporary storage and shorter-term processing of data. The `SCRATCH_2` deployment type provides in-transit encryption of data and higher burst throughput capacity than `SCRATCH_1` .\n\nChoose `PERSISTENT_1` for longer-term storage and for throughput-focused workloads that aren\u2019t latency-sensitive. `PERSISTENT_1` supports encryption of data in transit, and is available in all AWS Regions in which FSx for Lustre is available.\n\nChoose `PERSISTENT_2` for longer-term storage and for latency-sensitive workloads that require the highest levels of IOPS/throughput. `PERSISTENT_2` supports the SSD and Intelligent-Tiering storage classes. You can optionally specify a metadata configuration mode for `PERSISTENT_2` which supports increasing metadata performance. `PERSISTENT_2` is available in a limited number of AWS Regions . For more information, and an up-to-date list of AWS Regions in which `PERSISTENT_2` is available, see [Deployment and storage class options for FSx for Lustre file systems](https://docs.aws.amazon.com/fsx/latest/LustreGuide/using-fsx-lustre.html) in the *Amazon FSx for Lustre User Guide* .\n\n> If you choose `PERSISTENT_2` , and you set `FileSystemTypeVersion` to `2.10` , the `CreateFileSystem` operation fails. \n\nEncryption of data in transit is automatically turned on when you access `SCRATCH_2` , `PERSISTENT_1` , and `PERSISTENT_2` file systems from Amazon EC2 instances that support automatic encryption in the AWS Regions where they are available. For more information about encryption in transit for FSx for Lustre file systems, see [Encrypting data in transit](https://docs.aws.amazon.com/fsx/latest/LustreGuide/encryption-in-transit-fsxl.html) in the *Amazon FSx for Lustre User Guide* .\n\n(Default = `SCRATCH_1` )", "DriveCacheType": "The type of drive cache used by `PERSISTENT_1` file systems that are provisioned with HDD storage devices. This parameter is required when storage type is HDD. Set this property to `READ` to improve the performance for frequently accessed files by caching up to 20% of the total storage capacity of the file system.\n\nThis parameter is required when `StorageType` is set to `HDD` and `DeploymentType` is `PERSISTENT_1` .", "EfaEnabled": "", "ExportPath": "(Optional) Specifies the path in the Amazon S3 bucket where the root of your Amazon FSx file system is exported. The path must use the same Amazon S3 bucket as specified in ImportPath. You can provide an optional prefix to which new and changed data is to be exported from your Amazon FSx for Lustre file system. If an `ExportPath` value is not provided, Amazon FSx sets a default export path, `s3://import-bucket/FSxLustre[creation-timestamp]` . The timestamp is in UTC format, for example `s3://import-bucket/FSxLustre20181105T222312Z` .\n\nThe Amazon S3 export bucket must be the same as the import bucket specified by `ImportPath` . If you specify only a bucket name, such as `s3://import-bucket` , you get a 1:1 mapping of file system objects to S3 bucket objects. This mapping means that the input data in S3 is overwritten on export. If you provide a custom prefix in the export path, such as `s3://import-bucket/[custom-optional-prefix]` , Amazon FSx exports the contents of your file system to that export prefix in the Amazon S3 bucket.\n\n> This parameter is not supported for file systems with a data repository association.", @@ -18764,6 +19237,7 @@ "ImportedFileChunkSize": "(Optional) For files imported from a data repository, this value determines the stripe count and maximum amount of data per file (in MiB) stored on a single physical disk. The maximum number of disks that a single file can be striped across is limited by the total number of disks that make up the file system.\n\nThe default chunk size is 1,024 MiB (1 GiB) and can go as high as 512,000 MiB (500 GiB). Amazon S3 objects have a maximum size of 5 TB.\n\n> This parameter is not supported for Lustre file systems with a data repository association.", "MetadataConfiguration": "", "PerUnitStorageThroughput": "Required with `PERSISTENT_1` and `PERSISTENT_2` deployment types, provisions the amount of read and write throughput for each 1 tebibyte (TiB) of file system storage capacity, in MB/s/TiB. File system throughput capacity is calculated by multiplying \ufb01le system storage capacity (TiB) by the `PerUnitStorageThroughput` (MB/s/TiB). For a 2.4-TiB \ufb01le system, provisioning 50 MB/s/TiB of `PerUnitStorageThroughput` yields 120 MB/s of \ufb01le system throughput. You pay for the amount of throughput that you provision.\n\nValid values:\n\n- For `PERSISTENT_1` SSD storage: 50, 100, 200 MB/s/TiB.\n- For `PERSISTENT_1` HDD storage: 12, 40 MB/s/TiB.\n- For `PERSISTENT_2` SSD storage: 125, 250, 500, 1000 MB/s/TiB.", + "ThroughputCapacity": "", "WeeklyMaintenanceStartTime": "The preferred start time to perform weekly maintenance, formatted d:HH:MM in the UTC time zone, where d is the weekday number, from 1 through 7, beginning with Monday and ending with Sunday.\n\nFor example, `1:05:00` specifies maintenance at 5 AM Monday." }, "AWS::FSx::FileSystem MetadataConfiguration": { @@ -18800,7 +19274,7 @@ "ReadCacheConfiguration": "Specifies the optional provisioned SSD read cache on file systems that use the Intelligent-Tiering storage class.", "RootVolumeConfiguration": "The configuration Amazon FSx uses when creating the root value of the Amazon FSx for OpenZFS file system. All volumes are children of the root volume.", "RouteTableIds": "(Multi-AZ only) Specifies the route tables in which Amazon FSx creates the rules for routing traffic to the correct file server. You should specify all virtual private cloud (VPC) route tables associated with the subnets in which your clients are located. By default, Amazon FSx selects your VPC's default route table.", - "ThroughputCapacity": "Specifies the throughput of an Amazon FSx for OpenZFS file system, measured in megabytes per second (MBps). Valid values depend on the `DeploymentType` and `StorageType` that you choose, as follows:\n\n- For `INTELIGENT_TIERING` , valid values are 1280, 2560, 3840, 5120, 7680, or 10240 MBps.\n- For `MULTI_AZ_1` and `SINGLE_AZ_2` , valid values are 160, 320, 640, 1280, 2560, 3840, 5120, 7680, or 10240 MBps.\n- For `SINGLE_AZ_1` , valid values are 64, 128, 256, 512, 1024, 2048, 3072, or 4096 MBps.\n\nYou pay for additional throughput capacity that you provision.", + "ThroughputCapacity": "Specifies the throughput of an Amazon FSx for OpenZFS file system, measured in megabytes per second (MBps). Valid values depend on the `DeploymentType` that you choose, as follows:\n\n- For `MULTI_AZ_1` and `SINGLE_AZ_2` , valid values are 160, 320, 640, 1280, 2560, 3840, 5120, 7680, or 10240 MBps.\n- For `SINGLE_AZ_1` , valid values are 64, 128, 256, 512, 1024, 2048, 3072, or 4096 MBps.\n\nYou pay for additional throughput capacity that you provision.", "WeeklyMaintenanceStartTime": "The preferred start time to perform weekly maintenance, formatted d:HH:MM in the UTC time zone, where d is the weekday number, from 1 through 7, beginning with Monday and ending with Sunday.\n\nFor example, `1:05:00` specifies maintenance at 5 AM Monday." }, "AWS::FSx::FileSystem ReadCacheConfiguration": { @@ -19384,16 +19858,13 @@ "CertificateConfiguration": "Prompts Amazon GameLift Servers to generate a TLS/SSL certificate for the fleet. Amazon GameLift Servers uses the certificates to encrypt traffic between game clients and the game servers running on Amazon GameLift Servers. By default, the `CertificateConfiguration` is `DISABLED` . You can't change this property after you create the fleet.\n\nAWS Certificate Manager (ACM) certificates expire after 13 months. Certificate expiration can cause fleets to fail, preventing players from connecting to instances in the fleet. We recommend you replace fleets before 13 months, consider using fleet aliases for a smooth transition.\n\n> ACM isn't available in all AWS regions. A fleet creation request with certificate generation enabled in an unsupported Region, fails with a 4xx error. For more information about the supported Regions, see [Supported Regions](https://docs.aws.amazon.com/acm/latest/userguide/acm-regions.html) in the *AWS Certificate Manager User Guide* .", "ComputeType": "The type of compute resource used to host your game servers.\n\n- `EC2` \u2013 The game server build is deployed to Amazon EC2 instances for cloud hosting. This is the default setting.\n- `ANYWHERE` \u2013 Game servers and supporting software are deployed to compute resources that you provide and manage. With this compute type, you can also set the `AnywhereConfiguration` parameter.", "Description": "A description for the fleet.", - "DesiredEC2Instances": "The number of EC2 instances that you want this fleet to host. When creating a new fleet, GameLift automatically sets this value to \"1\" and initiates a single instance. Once the fleet is active, update this value to trigger GameLift to add or remove instances from the fleet.", "EC2InboundPermissions": "The IP address ranges and port settings that allow inbound traffic to access game server processes and other processes on this fleet. Set this parameter for managed EC2 fleets. You can leave this parameter empty when creating the fleet, but you must call [](https://docs.aws.amazon.com/gamelift/latest/apireference/API_UpdateFleetPortSettings) to set it before players can connect to game sessions. As a best practice, we recommend opening ports for remote access only when you need them and closing them when you're finished. For Amazon GameLift Servers Realtime fleets, Amazon GameLift Servers automatically sets TCP and UDP ranges.", "EC2InstanceType": "The Amazon GameLift Servers-supported Amazon EC2 instance type to use with managed EC2 fleets. Instance type determines the computing resources that will be used to host your game servers, including CPU, memory, storage, and networking capacity. See [Amazon Elastic Compute Cloud Instance Types](https://docs.aws.amazon.com/ec2/instance-types/) for detailed descriptions of Amazon EC2 instance types.", "FleetType": "Indicates whether to use On-Demand or Spot instances for this fleet. By default, this property is set to `ON_DEMAND` . Learn more about when to use [On-Demand versus Spot Instances](https://docs.aws.amazon.com/gamelift/latest/developerguide/gamelift-ec2-instances.html#gamelift-ec2-instances-spot) . This fleet property can't be changed after the fleet is created.", "InstanceRoleARN": "A unique identifier for an IAM role that manages access to your AWS services. With an instance role ARN set, any application that runs on an instance in this fleet can assume the role, including install scripts, server processes, and daemons (background processes). Create a role or look up a role's ARN by using the [IAM dashboard](https://docs.aws.amazon.com/iam/) in the AWS Management Console . Learn more about using on-box credentials for your game servers at [Access external resources from a game server](https://docs.aws.amazon.com/gamelift/latest/developerguide/gamelift-sdk-server-resources.html) . This attribute is used with fleets where `ComputeType` is `EC2` .", "InstanceRoleCredentialsProvider": "Indicates that fleet instances maintain a shared credentials file for the IAM role defined in `InstanceRoleArn` . Shared credentials allow applications that are deployed with the game server executable to communicate with other AWS resources. This property is used only when the game server is integrated with the server SDK version 5.x. For more information about using shared credentials, see [Communicate with other AWS resources from your fleets](https://docs.aws.amazon.com/gamelift/latest/developerguide/gamelift-sdk-server-resources.html) . This attribute is used with fleets where `ComputeType` is `EC2` .", "Locations": "A set of remote locations to deploy additional instances to and manage as a multi-location fleet. Use this parameter when creating a fleet in AWS Regions that support multiple locations. You can add any AWS Region or Local Zone that's supported by Amazon GameLift Servers. Provide a list of one or more AWS Region codes, such as `us-west-2` , or Local Zone names. When using this parameter, Amazon GameLift Servers requires you to include your home location in the request. For a list of supported Regions and Local Zones, see [Amazon GameLift Servers service locations](https://docs.aws.amazon.com/gamelift/latest/developerguide/gamelift-regions.html) for managed hosting.", - "MaxSize": "The maximum number of instances that are allowed in the specified fleet location. If this parameter is not set, the default is 1.", "MetricGroups": "The name of an AWS CloudWatch metric group to add this fleet to. A metric group is used to aggregate the metrics for multiple fleets. You can specify an existing metric group name or set a new name to create a new metric group. A fleet can be included in only one metric group at a time.", - "MinSize": "The minimum number of instances that are allowed in the specified fleet location. If this parameter is not set, the default is 0.", "Name": "A descriptive label that is associated with a fleet. Fleet names do not need to be unique.", "NewGameSessionProtectionPolicy": "The status of termination protection for active game sessions on the fleet. By default, this property is set to `NoProtection` .\n\n- *NoProtection* - Game sessions can be terminated during active gameplay as a result of a scale-down event.\n- *FullProtection* - Game sessions in `ACTIVE` status cannot be terminated during a scale-down event.", "PeerVpcAwsAccountId": "Used when peering your Amazon GameLift Servers fleet with a VPC, the unique identifier for the AWS account that owns the VPC. You can find your account ID in the AWS Management Console under account settings.", @@ -19401,7 +19872,8 @@ "ResourceCreationLimitPolicy": "A policy that limits the number of game sessions that an individual player can create on instances in this fleet within a specified span of time.", "RuntimeConfiguration": "Instructions for how to launch and maintain server processes on instances in the fleet. The runtime configuration defines one or more server process configurations, each identifying a build executable or Realtime script file and the number of processes of that type to run concurrently.\n\n> The `RuntimeConfiguration` parameter is required unless the fleet is being configured using the older parameters `ServerLaunchPath` and `ServerLaunchParameters` , which are still supported for backward compatibility.", "ScalingPolicies": "Rule that controls how a fleet is scaled. Scaling policies are uniquely identified by the combination of name and fleet ID.", - "ScriptId": "The unique identifier for a Realtime configuration script to be deployed on fleet instances. You can use either the script ID or ARN. Scripts must be uploaded to Amazon GameLift Servers prior to creating the fleet. This fleet property cannot be changed later.\n\n> You can't use the `!Ref` command to reference a script created with a CloudFormation template for the fleet property `ScriptId` . Instead, use `Fn::GetAtt Script.Arn` or `Fn::GetAtt Script.Id` to retrieve either of these properties as input for `ScriptId` . Alternatively, enter a `ScriptId` string manually." + "ScriptId": "The unique identifier for a Realtime configuration script to be deployed on fleet instances. You can use either the script ID or ARN. Scripts must be uploaded to Amazon GameLift Servers prior to creating the fleet. This fleet property cannot be changed later.\n\n> You can't use the `!Ref` command to reference a script created with a CloudFormation template for the fleet property `ScriptId` . Instead, use `Fn::GetAtt Script.Arn` or `Fn::GetAtt Script.Id` to retrieve either of these properties as input for `ScriptId` . Alternatively, enter a `ScriptId` string manually.", + "Tags": "" }, "AWS::GameLift::Fleet AnywhereConfiguration": { "Cost": "The cost to run your fleet per hour. Amazon GameLift Servers uses the provided cost of your fleet to balance usage in queues. For more information about queues, see [Setting up queues](https://docs.aws.amazon.com/gamelift/latest/developerguide/queues-intro.html) in the *Amazon GameLift Servers Developer Guide* ." @@ -19452,6 +19924,10 @@ "LaunchPath": "The location of a game build executable or Realtime script. Game builds and Realtime scripts are installed on instances at the root:\n\n- Windows (custom game builds only): `C:\\game` . Example: \" `C:\\game\\MyGame\\server.exe` \"\n- Linux: `/local/game` . Examples: \" `/local/game/MyGame/server.exe` \" or \" `/local/game/MyRealtimeScript.js` \"\n\n> Amazon GameLift Servers doesn't support the use of setup scripts that launch the game executable. For custom game builds, this parameter must indicate the executable that calls the server SDK operations `initSDK()` and `ProcessReady()` .", "Parameters": "An optional list of parameters to pass to the server executable or Realtime script on launch.\n\nLength Constraints: Minimum length of 1. Maximum length of 1024.\n\nPattern: [A-Za-z0-9_:.+\\/\\\\\\- =@{},?'\\[\\]\"]+" }, + "AWS::GameLift::Fleet Tag": { + "Key": "The key for a developer-defined key value pair for tagging an AWS resource.", + "Value": "The value for a developer-defined key value pair for tagging an AWS resource." + }, "AWS::GameLift::Fleet TargetConfiguration": { "TargetValue": "Desired value to use with a target-based scaling policy. The value must be relevant for whatever metric the scaling policy is using. For example, in a policy using the metric PercentAvailableGameSessions, the target value should be the preferred size of the fleet's buffer (the percent of capacity that should be idle and ready for new game sessions)." }, @@ -19599,12 +20075,12 @@ "Tags": "A list of labels to assign to the new stream group resource. Tags are developer-defined key-value pairs. Tagging AWS resources is useful for resource management, access management and cost allocation. See [Tagging AWS Resources](https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html) in the *AWS General Reference* ." }, "AWS::GameLiftStreams::StreamGroup DefaultApplication": { - "Arn": "An [Amazon Resource Name (ARN)](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html) that uniquely identifies the application resource. Format example: `arn:aws:gameliftstreams:us-west-2:123456789012:application/a-9ZY8X7Wv6` .", - "Id": "An ID that uniquely identifies the application resource. For example: `a-9ZY8X7Wv6` ." + "Arn": "An [Amazon Resource Name (ARN)](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html) that uniquely identifies the application resource. Example ARN: `arn:aws:gameliftstreams:us-west-2:111122223333:application/a-9ZY8X7Wv6` .", + "Id": "An ID that uniquely identifies the application resource. Example ID: `a-9ZY8X7Wv6` ." }, "AWS::GameLiftStreams::StreamGroup LocationConfiguration": { "AlwaysOnCapacity": "The streaming capacity that is allocated and ready to handle stream requests without delay. You pay for this capacity whether it's in use or not. Best for quickest time from streaming request to streaming session.", - "LocationName": "A location's name. For example, `us-east-1` . For a complete list of locations that Amazon GameLift Streams supports, refer to [Regions and quotas](https://docs.aws.amazon.com/gameliftstreams/latest/developerguide/regions-quotas.html) in the *Amazon GameLift Streams Developer Guide* .", + "LocationName": "A location's name. For example, `us-east-1` . For a complete list of locations that Amazon GameLift Streams supports, refer to [Regions, quotas, and limitations](https://docs.aws.amazon.com/gameliftstreams/latest/developerguide/regions-quotas.html) in the *Amazon GameLift Streams Developer Guide* .", "OnDemandCapacity": "The streaming capacity that Amazon GameLift Streams can allocate in response to stream requests, and then de-allocate when the session has terminated. This offers a cost control measure at the expense of a greater startup time (typically under 5 minutes)." }, "AWS::GlobalAccelerator::Accelerator": { @@ -20206,27 +20682,27 @@ "DatabaseName": "The name of the database. For Hive compatibility, this is folded to lowercase when it is stored.", "TableName": "The table name. For Hive compatibility, this must be entirely lowercase.", "TableOptimizerConfiguration": "Specifies configuration details of a table optimizer.", - "Type": "The type of table optimizer. Currently, the only valid value is compaction." + "Type": "The type of table optimizer. The valid values are:\n\n- compaction - for managing compaction with a table optimizer.\n- retention - for managing the retention of snapshot with a table optimizer.\n- orphan_file_deletion - for managing the deletion of orphan files with a table optimizer." }, "AWS::Glue::TableOptimizer IcebergConfiguration": { - "Location": "", - "OrphanFileRetentionPeriodInDays": "" + "Location": "Specifies a directory in which to look for orphan files (defaults to the table's location). You may choose a sub-directory rather than the top-level table location.", + "OrphanFileRetentionPeriodInDays": "The specific number of days you want to keep the orphan files." }, "AWS::Glue::TableOptimizer OrphanFileDeletionConfiguration": { - "IcebergConfiguration": "" + "IcebergConfiguration": "The `IcebergConfiguration` property helps optimize your Iceberg tables in AWS Glue by allowing you to specify format-specific settings that control how data is stored, compressed, and managed." }, "AWS::Glue::TableOptimizer RetentionConfiguration": { - "IcebergConfiguration": "" + "IcebergConfiguration": "The configuration for an Iceberg snapshot retention optimizer." }, "AWS::Glue::TableOptimizer TableOptimizerConfiguration": { "Enabled": "Whether the table optimization is enabled.", - "OrphanFileDeletionConfiguration": "", - "RetentionConfiguration": "", + "OrphanFileDeletionConfiguration": "`OrphanFileDeletionConfiguration` is a property that can be included within the TableOptimizer resource. It controls the automatic deletion of orphaned files - files that are not tracked by the table metadata, and older than the configured age limit.", + "RetentionConfiguration": "The configuration for a snapshot retention optimizer for Apache Iceberg tables.", "RoleArn": "A role passed by the caller which gives the service permission to update the resources associated with the optimizer on the caller's behalf.", - "VpcConfiguration": "" + "VpcConfiguration": "An object that describes the VPC configuration for a table optimizer. This configuration is necessary to perform optimization on tables that are in a customer VPC." }, "AWS::Glue::TableOptimizer VpcConfiguration": { - "GlueConnectionName": "" + "GlueConnectionName": "The name of the AWS Glue connection used for the VPC for the table optimizer." }, "AWS::Glue::Trigger": { "Actions": "The actions initiated by this trigger.", @@ -21495,7 +21971,7 @@ "InstanceConfiguration": "A group of options that can be used to configure an instance for building and testing container images.", "KmsKeyId": "Identifies which KMS key is used to encrypt the container image for distribution to the target Region.", "Name": "The name of the container recipe.", - "ParentImage": "The base image for the container recipe.", + "ParentImage": "The base image for customizations specified in the container recipe. This can contain an Image Builder image resource ARN or a container image URI, for example `amazonlinux:latest` .", "PlatformOverride": "Specifies the operating system platform when you use a custom base image.", "Tags": "Tags that are attached to the container recipe.", "TargetRepository": "The destination repository for the container image.", @@ -21528,7 +22004,7 @@ }, "AWS::ImageBuilder::ContainerRecipe InstanceConfiguration": { "BlockDeviceMappings": "Defines the block devices to attach for building an instance from this Image Builder AMI.", - "Image": "The AMI ID to use as the base image for a container build and test instance. If not specified, Image Builder will use the appropriate ECS-optimized AMI as a base image." + "Image": "The base image for a container build and test instance. This can contain an AMI ID or it can specify an AWS Systems Manager (SSM) Parameter Store Parameter, prefixed by `ssm:` , followed by the parameter name or ARN.\n\nIf not specified, Image Builder uses the appropriate ECS-optimized AMI as a base image." }, "AWS::ImageBuilder::ContainerRecipe TargetContainerRepository": { "RepositoryName": "The name of the container repository where the output container image is stored. This name is prefixed by the repository location. For example, `/repository_name` .", @@ -21559,7 +22035,8 @@ "FastLaunchConfigurations": "The Windows faster-launching configurations to use for AMI distribution.", "LaunchTemplateConfigurations": "A group of launchTemplateConfiguration settings that apply to image distribution for specified accounts.", "LicenseConfigurationArns": "The License Manager Configuration to associate with the AMI in the specified Region. For more information, see the [LicenseConfiguration API](https://docs.aws.amazon.com/license-manager/latest/APIReference/API_LicenseConfiguration.html) .", - "Region": "The target Region for the Distribution Configuration. For example, `eu-west-1` ." + "Region": "The target Region for the Distribution Configuration. For example, `eu-west-1` .", + "SsmParameterConfigurations": "Contains settings to update AWS Systems Manager (SSM) Parameter Store Parameters with output AMI IDs from the build by target Region." }, "AWS::ImageBuilder::DistributionConfiguration FastLaunchConfiguration": { "AccountId": "The owner account ID for the fast-launch enabled Windows AMI.", @@ -21587,6 +22064,11 @@ "LaunchTemplateId": "Identifies the Amazon EC2 launch template to use.", "SetDefaultVersion": "Set the specified Amazon EC2 launch template as the default launch template for the specified account." }, + "AWS::ImageBuilder::DistributionConfiguration SsmParameterConfiguration": { + "AmiAccountId": "Specify the account that will own the Parameter in a given Region. During distribution, this account must be specified in distribution settings as a target account for the Region.", + "DataType": "The data type specifies what type of value the Parameter contains. We recommend that you use data type `aws:ec2:image` .", + "ParameterName": "This is the name of the Parameter in the target Region or account. The image distribution creates the Parameter if it doesn't already exist. Otherwise, it updates the parameter." + }, "AWS::ImageBuilder::DistributionConfiguration TargetContainerRepository": { "RepositoryName": "The name of the container repository where the output container image is stored. This name is prefixed by the repository location. For example, `/repository_name` .", "Service": "Specifies the service in which this image was registered." @@ -21670,12 +22152,12 @@ "AWS::ImageBuilder::ImageRecipe": { "AdditionalInstanceConfiguration": "Before you create a new AMI, Image Builder launches temporary Amazon EC2 instances to build and test your image configuration. Instance configuration adds a layer of control over those instances. You can define settings and add scripts to run when an instance is launched from your AMI.", "BlockDeviceMappings": "The block device mappings to apply when creating images from this recipe.", - "Components": "The components of the image recipe. Components are orchestration documents that define a sequence of steps for downloading, installing, configuring, and testing software packages. They also define validation and security hardening steps. A component is defined using a YAML document format.", + "Components": "The components that are included in the image recipe. Recipes require a minimum of one build component, and can have a maximum of 20 build and test components in any combination.", "Description": "The description of the image recipe.", "Name": "The name of the image recipe.", - "ParentImage": "The parent image of the image recipe. The string must be either an Image ARN or an AMI ID.", + "ParentImage": "The base image for customizations specified in the image recipe. You can specify the parent image using one of the following options:\n\n- AMI ID\n- Image Builder image Amazon Resource Name (ARN)\n- AWS Systems Manager (SSM) Parameter Store Parameter, prefixed by `ssm:` , followed by the parameter name or ARN.\n- AWS Marketplace product ID", "Tags": "The tags of the image recipe.", - "Version": "The semantic version of the image recipe.", + "Version": "The version of the image recipe.", "WorkingDirectory": "The working directory to be used during build and test workflows." }, "AWS::ImageBuilder::ImageRecipe AdditionalInstanceConfiguration": { @@ -21980,25 +22462,6 @@ "AWS::Invoicing::InvoiceUnit Rule": { "LinkedAccounts": "The list of `LINKED_ACCOUNT` IDs where charges are included within the invoice unit." }, - "AWS::IoT1Click::Device": { - "DeviceId": "The ID of the device, such as `G030PX0312744DWM` .", - "Enabled": "A Boolean value indicating whether the device is enabled ( `true` ) or not ( `false` )." - }, - "AWS::IoT1Click::Placement": { - "AssociatedDevices": "The devices to associate with the placement, as defined by a mapping of zero or more key-value pairs wherein the key is a template name and the value is a device ID.", - "Attributes": "The user-defined attributes associated with the placement.", - "PlacementName": "The name of the placement.", - "ProjectName": "The name of the project containing the placement." - }, - "AWS::IoT1Click::Project": { - "Description": "The description of the project.", - "PlacementTemplate": "An object describing the project's placement specifications.", - "ProjectName": "The name of the project from which to obtain information." - }, - "AWS::IoT1Click::Project PlacementTemplate": { - "DefaultAttributes": "The default attributes (key-value pairs) to be applied to all placements using this template.", - "DeviceTemplates": "An object specifying the [DeviceTemplate](https://docs.aws.amazon.com/iot-1-click/latest/projects-apireference/API_DeviceTemplate.html) for all placements using this ( [PlacementTemplate](https://docs.aws.amazon.com/iot-1-click/latest/projects-apireference/API_PlacementTemplate.html) ) template." - }, "AWS::IoT::AccountAuditConfiguration": { "AccountId": "The ID of the account. You can use the expression `!Sub \"${AWS::AccountId}\"` to use your account ID.", "AuditCheckConfigurations": "Specifies which audit checks are enabled and disabled for this account.\n\nSome data collection might start immediately when certain checks are enabled. When a check is disabled, any data collected so far in relation to the check is deleted. To disable a check, set the value of the `Enabled:` key to `false` .\n\nIf an enabled check is removed from the template, it will also be disabled.\n\nYou can't disable a check if it's used by any scheduled audit. You must delete the check from the scheduled audit or delete the scheduled audit itself to disable the check.\n\nFor more information on available audit checks see [AWS::IoT::AccountAuditConfiguration AuditCheckConfigurations](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iot-accountauditconfiguration-auditcheckconfigurations.html)", @@ -22510,7 +22973,8 @@ }, "AWS::IoT::ThingPrincipalAttachment": { "Principal": "The principal, which can be a certificate ARN (as returned from the `CreateCertificate` operation) or an Amazon Cognito ID.", - "ThingName": "The name of the AWS IoT thing." + "ThingName": "The name of the AWS IoT thing.", + "ThingPrincipalType": "" }, "AWS::IoT::ThingType": { "DeprecateThingType": "Deprecates a thing type. You can not associate new things with deprecated thing type.\n\nRequires permission to access the [DeprecateThingType](https://docs.aws.amazon.com//service-authorization/latest/reference/list_awsiot.html#awsiot-actions-as-permissions) action.", @@ -25075,7 +25539,7 @@ "AWS::KinesisAnalyticsV2::Application": { "ApplicationConfiguration": "Use this parameter to configure the application.", "ApplicationDescription": "The description of the application.", - "ApplicationMaintenanceConfiguration": "", + "ApplicationMaintenanceConfiguration": "Specifies the maintenance window parameters for a Kinesis Data Analytics application.", "ApplicationMode": "To create a Kinesis Data Analytics Studio notebook, you must set the mode to `INTERACTIVE` . However, for a Kinesis Data Analytics for Apache Flink application, the mode is optional.", "ApplicationName": "The name of the application.", "RunConfiguration": "Describes the starting parameters for an Managed Service for Apache Flink application.", @@ -25098,7 +25562,7 @@ "ZeppelinApplicationConfiguration": "The configuration parameters for a Kinesis Data Analytics Studio notebook." }, "AWS::KinesisAnalyticsV2::Application ApplicationMaintenanceConfiguration": { - "ApplicationMaintenanceWindowStartTime": "Specifies the start time of the maintence window." + "ApplicationMaintenanceWindowStartTime": "" }, "AWS::KinesisAnalyticsV2::Application ApplicationRestoreConfiguration": { "ApplicationRestoreType": "Specifies how the application should be restored.", @@ -26033,7 +26497,7 @@ "Endpoints": "The list of bootstrap servers for your Kafka brokers in the following format: `\"KafkaBootstrapServers\": [\"abc.xyz.com:xxxx\",\"abc2.xyz.com:xxxx\"]` ." }, "AWS::Lambda::EventSourceMapping SelfManagedKafkaEventSourceConfig": { - "ConsumerGroupId": "The identifier for the Kafka consumer group to join. The consumer group ID must be unique among all your Kafka event sources. After creating a Kafka event source mapping with the consumer group ID specified, you cannot update this value. For more information, see [Customizable consumer group ID](https://docs.aws.amazon.com/lambda/latest/dg/with-msk.html#services-msk-consumer-group-id) ." + "ConsumerGroupId": "The identifier for the Kafka consumer group to join. The consumer group ID must be unique among all your Kafka event sources. After creating a Kafka event source mapping with the consumer group ID specified, you cannot update this value. For more information, see [Customizable consumer group ID](https://docs.aws.amazon.com/lambda/latest/dg/with-kafka-process.html#services-smaa-topic-add) ." }, "AWS::Lambda::EventSourceMapping SourceAccessConfiguration": { "Type": "The type of authentication protocol, VPC components, or virtual host for your event source. For example: `\"Type\":\"SASL_SCRAM_512_AUTH\"` .\n\n- `BASIC_AUTH` \u2013 (Amazon MQ) The AWS Secrets Manager secret that stores your broker credentials.\n- `BASIC_AUTH` \u2013 (Self-managed Apache Kafka) The Secrets Manager ARN of your secret key used for SASL/PLAIN authentication of your Apache Kafka brokers.\n- `VPC_SUBNET` \u2013 (Self-managed Apache Kafka) The subnets associated with your VPC. Lambda connects to these subnets to fetch data from your self-managed Apache Kafka cluster.\n- `VPC_SECURITY_GROUP` \u2013 (Self-managed Apache Kafka) The VPC security group used to manage access to your self-managed Apache Kafka brokers.\n- `SASL_SCRAM_256_AUTH` \u2013 (Self-managed Apache Kafka) The Secrets Manager ARN of your secret key used for SASL SCRAM-256 authentication of your self-managed Apache Kafka brokers.\n- `SASL_SCRAM_512_AUTH` \u2013 (Amazon MSK, Self-managed Apache Kafka) The Secrets Manager ARN of your secret key used for SASL SCRAM-512 authentication of your self-managed Apache Kafka brokers.\n- `VIRTUAL_HOST` \u2013- (RabbitMQ) The name of the virtual host in your RabbitMQ broker. Lambda uses this RabbitMQ host as the event source. This property cannot be specified in an UpdateEventSourceMapping API call.\n- `CLIENT_CERTIFICATE_TLS_AUTH` \u2013 (Amazon MSK, self-managed Apache Kafka) The Secrets Manager ARN of your secret key containing the certificate chain (X.509 PEM), private key (PKCS#8 PEM), and private key password (optional) used for mutual TLS authentication of your MSK/Apache Kafka brokers.\n- `SERVER_ROOT_CA_CERTIFICATE` \u2013 (Self-managed Apache Kafka) The Secrets Manager ARN of your secret key containing the root CA certificate (X.509 PEM) used for TLS encryption of your Apache Kafka brokers.", @@ -26181,8 +26645,8 @@ "ProvisionedConcurrentExecutions": "The amount of provisioned concurrency to allocate for the version." }, "AWS::Lambda::Version RuntimePolicy": { - "RuntimeVersionArn": "", - "UpdateRuntimeOn": "" + "RuntimeVersionArn": "The ARN of the runtime version you want the function to use.\n\n> This is only required if you're using the *Manual* runtime update mode.", + "UpdateRuntimeOn": "Specify the runtime update mode.\n\n- *Auto (default)* - Automatically update to the most recent and secure runtime version using a [Two-phase runtime version rollout](https://docs.aws.amazon.com/lambda/latest/dg/runtimes-update.html#runtime-management-two-phase) . This is the best choice for most customers to ensure they always benefit from runtime updates.\n- *FunctionUpdate* - Lambda updates the runtime of you function to the most recent and secure runtime version when you update your function. This approach synchronizes runtime updates with function deployments, giving you control over when runtime updates are applied and allowing you to detect and mitigate rare runtime update incompatibilities early. When using this setting, you need to regularly update your functions to keep their runtime up-to-date.\n- *Manual* - You specify a runtime version in your function configuration. The function will use this runtime version indefinitely. In the rare case where a new runtime version is incompatible with an existing function, this allows you to roll back your function to an earlier runtime version. For more information, see [Roll back a runtime version](https://docs.aws.amazon.com/lambda/latest/dg/runtimes-update.html#runtime-management-rollback) .\n\n*Valid Values* : `Auto` | `FunctionUpdate` | `Manual`" }, "AWS::LaunchWizard::Deployment": { "DeploymentPatternName": "The name of the deployment pattern.", @@ -26589,6 +27053,7 @@ "Name": "The name given to the slot.", "ObfuscationSetting": "Determines whether the contents of the slot are obfuscated in Amazon CloudWatch Logs logs. Use obfuscated slots to protect information such as personally identifiable information (PII) in logs.", "SlotTypeName": "The name of the slot type that this slot is based on. The slot type defines the acceptable values for the slot.", + "SubSlotSetting": "", "ValueElicitationSetting": "Determines the slot resolution strategy that Amazon Lex uses to return slot type values. The field can be set to one of the following values:\n\n- ORIGINAL_VALUE - Returns the value entered by the user, if the user value is similar to a slot value.\n- TOP_RESOLUTION - If there is a resolution list for the slot, return the first value in the resolution list as the slot type value. If there is no resolution list, null is returned.\n\nIf you don't specify the `valueSelectionStrategy` , the default is `ORIGINAL_VALUE` ." }, "AWS::Lex::Bot SlotCaptureSetting": { @@ -26652,16 +27117,30 @@ "RegexFilter": "A regular expression used to validate the value of a slot.", "ResolutionStrategy": "Determines the slot resolution strategy that Amazon Lex uses to return slot type values. The field can be set to one of the following values:\n\n- `ORIGINAL_VALUE` - Returns the value entered by the user, if the user value is similar to the slot value.\n- `TOP_RESOLUTION` - If there is a resolution list for the slot, return the first value in the resolution list as the slot type value. If there is no resolution list, null is returned.\n\nIf you don't specify the `valueSelectionStrategy` , the default is `ORIGINAL_VALUE` ." }, + "AWS::Lex::Bot Specifications": { + "SlotTypeId": "The unique identifier assigned to the slot type.", + "ValueElicitationSetting": "Specifies the elicitation setting details for constituent sub slots of a composite slot." + }, "AWS::Lex::Bot StillWaitingResponseSpecification": { "AllowInterrupt": "Indicates that the user can interrupt the response by speaking while the message is being played.", "FrequencyInSeconds": "How often a message should be sent to the user. Minimum of 1 second, maximum of 5 minutes.", "MessageGroupsList": "One or more message groups, each containing one or more messages, that define the prompts that Amazon Lex sends to the user.", "TimeoutInSeconds": "If Amazon Lex waits longer than this length of time for a response, it will stop sending messages." }, + "AWS::Lex::Bot SubSlotSetting": { + "Expression": "The expression text for defining the constituent sub slots in the composite slot using logical AND and OR operators.", + "SlotSpecifications": "Specifications for the constituent sub slots of a composite slot." + }, "AWS::Lex::Bot SubSlotTypeComposition": { "Name": "Name of a constituent sub slot inside a composite slot.", "SlotTypeId": "The unique identifier assigned to a slot type. This refers to either a built-in slot type or the unique slotTypeId of a custom slot type." }, + "AWS::Lex::Bot SubSlotValueElicitationSetting": { + "DefaultValueSpecification": "", + "PromptSpecification": "", + "SampleUtterances": "If you know a specific pattern that users might respond to an Amazon Lex request for a sub slot value, you can provide those utterances to improve accuracy. This is optional. In most cases Amazon Lex is capable of understanding user utterances. This is similar to `SampleUtterances` for slots.", + "WaitAndContinueSpecification": "" + }, "AWS::Lex::Bot Tag": { "Key": "", "Value": "" @@ -27089,6 +27568,19 @@ "Key": "The key of the tag.\n\nConstraints: Tag keys accept a maximum of 128 letters, numbers, spaces in UTF-8, or the following characters: + - = . _ : / @", "Value": "The value of the tag.\n\nConstraints: Tag values accept a maximum of 256 letters, numbers, spaces in UTF-8, or the following characters: + - = . _ : / @" }, + "AWS::Lightsail::InstanceSnapshot": { + "InstanceName": "The name the user gave the instance ( `Amazon_Linux_2023-1` ).", + "InstanceSnapshotName": "The name of the snapshot.", + "Tags": "The tag keys and optional values for the resource. For more information about tags in Lightsail, see the [Amazon Lightsail Developer Guide](https://docs.aws.amazon.com/lightsail/latest/userguide/amazon-lightsail-tags) ." + }, + "AWS::Lightsail::InstanceSnapshot Location": { + "AvailabilityZone": "", + "RegionName": "" + }, + "AWS::Lightsail::InstanceSnapshot Tag": { + "Key": "The key of the tag.\n\nConstraints: Tag keys accept a maximum of 128 letters, numbers, spaces in UTF-8, or the following characters: + - = . _ : / @", + "Value": "The value of the tag.\n\nConstraints: Tag values accept a maximum of 256 letters, numbers, spaces in UTF-8, or the following characters: + - = . _ : / @" + }, "AWS::Lightsail::LoadBalancer": { "AttachedInstances": "The Lightsail instances to attach to the load balancer.", "HealthCheckPath": "The path on the attached instance where the health check will be performed. If no path is specified, the load balancer tries to make a request to the default (root) page ( `/index.html` ).", @@ -27231,6 +27723,10 @@ "OutputFormat": "The format of the logs that are sent to this delivery destination.", "Tags": "An array of key-value pairs to apply to the delivery destination.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." }, + "AWS::Logs::DeliveryDestination DestinationPolicy": { + "DeliveryDestinationName": "", + "DeliveryDestinationPolicy": "" + }, "AWS::Logs::DeliveryDestination Tag": { "Key": "The key of this key-value pair.", "Value": "The value of this key-value pair." @@ -27821,7 +28317,7 @@ "KafkaVersionsList": "The [versions of Apache Kafka](https://docs.aws.amazon.com/msk/latest/developerguide/supported-kafka-versions.html) with which you can use this MSK configuration.\n\nWhen you update the `KafkaVersionsList` property, AWS CloudFormation recreates a new configuration with the updated property before deleting the old configuration. Such an update requires a [resource replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) . To successfully update `KafkaVersionsList` , you must also update the `Name` property in the same operation.\n\nIf your configuration is attached with any clusters created using the AWS Management Console or AWS CLI , you'll need to manually delete the old configuration from the console after the update completes.\n\nFor more information, see [Can\u2019t update KafkaVersionsList in MSK configuration](https://docs.aws.amazon.com/msk/latest/developerguide/troubleshooting.html#troubleshoot-kafkaversionslist-cfn-update-failure) in the *Amazon MSK Developer Guide* .", "LatestRevision": "Latest revision of the MSK configuration.", "Name": "The name of the configuration. Configuration names are strings that match the regex \"^[0-9A-Za-z][0-9A-Za-z-]{0,}$\".", - "ServerProperties": "Contents of the `server.properties` file. When using this property, you must ensure that the contents of the file are base64 encoded. When using the console, the SDK, or the AWS CLI , the contents of `server.properties` can be in plaintext." + "ServerProperties": "Contents of the `server.properties` file. When using the console, the SDK, or the AWS CLI , the contents of `server.properties` can be in plaintext." }, "AWS::MSK::Configuration LatestRevision": { "CreationTime": "The time when the configuration revision was created.", @@ -28471,7 +28967,7 @@ "InputSpecification": "The input specification for this channel. It specifies the key characteristics of the inputs for this channel: the maximum bitrate, the resolution, and the codec.", "LogLevel": "The verbosity for logging activity for this channel. Charges for logging (which are generated through Amazon CloudWatch Logging) are higher for higher verbosities.", "Maintenance": "Maintenance settings for this channel.", - "Name": "A name for this audio selector. The AudioDescription (in an output) references this name in order to identify a specific input audio to include in that output.", + "Name": "Name of channel.", "RoleArn": "The IAM role for MediaLive to assume when running this channel. The role is identified by its ARN.", "Tags": "A collection of tags for this channel. Each tag is a key-value pair.", "Vpc": "Settings to enable VPC mode in the channel, so that the endpoints for all outputs are in your VPC." @@ -28615,6 +29111,7 @@ }, "AWS::MediaLive::Channel Av1Settings": { "AfdSignaling": "", + "Bitrate": "", "BufSize": "", "ColorSpaceSettings": "", "FixedAfd": "", @@ -28629,6 +29126,7 @@ "ParDenominator": "", "ParNumerator": "", "QvbrQualityLevel": "", + "RateControlMode": "", "SceneChangeDetect": "", "TimecodeBurninSettings": "" }, @@ -28731,7 +29229,12 @@ "AWS::MediaLive::Channel ChannelEngineVersionRequest": { "Version": "" }, + "AWS::MediaLive::Channel CmafIngestCaptionLanguageMapping": { + "CaptionChannel": "", + "LanguageCode": "" + }, "AWS::MediaLive::Channel CmafIngestGroupSettings": { + "CaptionLanguageMappings": "", "Destination": "", "Id3Behavior": "", "Id3NameModifier": "", @@ -28743,7 +29246,10 @@ "Scte35Type": "", "SegmentLength": "", "SegmentLengthUnits": "", - "SendDelayMs": "" + "SendDelayMs": "", + "TimedMetadataId3Frame": "", + "TimedMetadataId3Period": "", + "TimedMetadataPassthrough": "" }, "AWS::MediaLive::Channel CmafIngestOutputSettings": { "NameModifier": "" @@ -28826,6 +29332,8 @@ }, "AWS::MediaLive::Channel EbuTtDDestinationSettings": { "CopyrightHolder": "Applies only if you plan to convert these source captions to EBU-TT-D or TTML in an output. Complete this field if you want to include the name of the copyright holder in the copyright metadata tag in the TTML", + "DefaultFontSize": "", + "DefaultLineHeight": "", "FillLineGap": "Specifies how to handle the gap between the lines (in multi-line captions). - enabled: Fill with the captions background color (as specified in the input captions).\n- disabled: Leave the gap unfilled.", "FontFamily": "Specifies the font family to include in the font data attached to the EBU-TT captions. Valid only if styleControl is set to include. If you leave this field empty, the font family is set to \"monospaced\". (If styleControl is set to exclude, the font family is always set to \"monospaced\".) You specify only the font family. All other style information (color, bold, position and so on) is copied from the input captions. The size is always set to 100% to allow the downstream player to choose the size. - Enter a list of font families, as a comma-separated list of font names, in order of preference. The name can be a font family (such as \u201cArial\u201d), or a generic font family (such as \u201cserif\u201d), or \u201cdefault\u201d (to let the downstream player choose the font).\n- Leave blank to set the family to \u201cmonospace\u201d.", "StyleControl": "Specifies the style information (font color, font position, and so on) to include in the font data that is attached to the EBU-TT captions. - include: Take the style information (font color, font position, and so on) from the source captions and include that information in the font data attached to the EBU-TT captions. This option is valid only if the source captions are Embedded or Teletext.\n- exclude: In the font data attached to the EBU-TT captions, set the font family to \"monospaced\". Do not include any other style information." @@ -29377,6 +29885,7 @@ }, "AWS::MediaLive::Channel OutputDestination": { "Id": "The ID for this destination.", + "LogicalInterfaceNames": "", "MediaPackageSettings": "The destination settings for a MediaPackage output.", "MultiplexSettings": "Destination settings for a Multiplex output; one destination for both encoders.", "Settings": "The destination settings for an output.", @@ -29649,6 +30158,8 @@ "MulticastSettings": "", "Name": "A name for the input.", "RoleArn": "The IAM role for MediaLive to assume when creating a MediaConnect input or Amazon VPC input. This doesn't apply to other types of inputs. The role is identified by its ARN.", + "SdiSources": "", + "Smpte2110ReceiverGroupSettings": "", "Sources": "Settings that apply only if the input is a pull type of input.", "SrtSettings": "", "Tags": "A collection of tags for this input. Each tag is a key-value pair.", @@ -29668,6 +30179,10 @@ "Cidr": "", "Gateway": "" }, + "AWS::MediaLive::Input InputSdpLocation": { + "MediaIndex": "", + "SdpUrl": "" + }, "AWS::MediaLive::Input InputSourceRequest": { "PasswordParam": "The password parameter that holds the password for accessing the upstream system. The password parameter applies only if the upstream system requires credentials.", "Url": "For a pull input, the URL where MediaLive pulls the source content from.", @@ -29687,6 +30202,17 @@ "SourceIp": "", "Url": "" }, + "AWS::MediaLive::Input Smpte2110ReceiverGroup": { + "SdpSettings": "" + }, + "AWS::MediaLive::Input Smpte2110ReceiverGroupSdpSettings": { + "AncillarySdps": "", + "AudioSdps": "", + "VideoSdp": "" + }, + "AWS::MediaLive::Input Smpte2110ReceiverGroupSettings": { + "Smpte2110ReceiverGroups": "" + }, "AWS::MediaLive::Input SrtCallerDecryptionRequest": { "Algorithm": "", "PassphraseSecretArn": "" @@ -30140,7 +30666,7 @@ "DashManifests": "A DASH manifest configuration.", "Description": "The description associated with the origin endpoint.", "ForceEndpointErrorConfiguration": "The failover settings for the endpoint.", - "HlsManifests": "The HLS manfiests associated with the origin endpoint configuration.", + "HlsManifests": "The HLS manifests associated with the origin endpoint configuration.", "LowLatencyHlsManifests": "The low-latency HLS (LL-HLS) manifests associated with the origin endpoint.", "OriginEndpointName": "The name of the origin endpoint associated with the origin endpoint configuration.", "Segment": "The segment associated with the origin endpoint.", @@ -30196,17 +30722,19 @@ "ProgramDateTimeIntervalSeconds": "The `EXT-X-PROGRAM-DATE-TIME` interval, in seconds, associated with the HLS manifest configuration.", "ScteHls": "THE SCTE-35 HLS configuration associated with the HLS manifest configuration.", "StartTag": "", - "Url": "The URL of the HLS manifest configuration." + "Url": "The URL of the HLS manifest configuration.", + "UrlEncodeChildManifest": "" }, "AWS::MediaPackageV2::OriginEndpoint LowLatencyHlsManifestConfiguration": { "ChildManifestName": "The name of the child manifest associated with the low-latency HLS (LL-HLS) manifest configuration of the origin endpoint.", "FilterConfiguration": "", - "ManifestName": "A short short string that's appended to the endpoint URL. The manifest name creates a unique path to this endpoint. If you don't enter a value, MediaPackage uses the default manifest name, `index` . MediaPackage automatically inserts the format extension, such as `.m3u8` . You can't use the same manifest name if you use HLS manifest and low-latency HLS manifest. The `manifestName` on the `HLSManifest` object overrides the `manifestName` you provided on the `originEndpoint` object.", + "ManifestName": "A short string that's appended to the endpoint URL. The manifest name creates a unique path to this endpoint. If you don't enter a value, MediaPackage uses the default manifest name, `index` . MediaPackage automatically inserts the format extension, such as `.m3u8` . You can't use the same manifest name if you use HLS manifest and low-latency HLS manifest. The `manifestName` on the `HLSManifest` object overrides the `manifestName` you provided on the `originEndpoint` object.", "ManifestWindowSeconds": "The total duration (in seconds) of the manifest's content.", "ProgramDateTimeIntervalSeconds": "Inserts `EXT-X-PROGRAM-DATE-TIME` tags in the output manifest at the interval that you specify. If you don't enter an interval, `EXT-X-PROGRAM-DATE-TIME` tags aren't included in the manifest. The tags sync the stream to the wall clock so that viewers can seek to a specific time in the playback timeline on the player.\n\nIrrespective of this parameter, if any `ID3Timed` metadata is in the HLS input, MediaPackage passes through that metadata to the HLS output.", "ScteHls": "The SCTE-35 HLS configuration associated with the low-latency HLS (LL-HLS) manifest configuration of the origin endpoint.", "StartTag": "", - "Url": "The URL of the low-latency HLS (LL-HLS) manifest configuration of the origin endpoint." + "Url": "The URL of the low-latency HLS (LL-HLS) manifest configuration of the origin endpoint.", + "UrlEncodeChildManifest": "" }, "AWS::MediaPackageV2::OriginEndpoint Scte": { "ScteFilter": "The filter associated with the SCTE-35 configuration." @@ -30336,6 +30864,7 @@ "Value": "" }, "AWS::MediaTailor::PlaybackConfiguration": { + "AdConditioningConfiguration": "The setting that indicates what conditioning MediaTailor will perform on ads that the ad decision server (ADS) returns, and what priority MediaTailor uses when inserting ads.", "AdDecisionServerUrl": "The URL for the ad decision server (ADS). This includes the specification of static parameters and placeholders for dynamic parameters. AWS Elemental MediaTailor substitutes player-specific and session-specific parameters as needed when calling the ADS. Alternately, for testing you can provide a static VAST URL. The maximum length is 25,000 characters.", "AvailSuppression": "The configuration for avail suppression, also known as ad suppression. For more information about ad suppression, see [Ad Suppression](https://docs.aws.amazon.com/mediatailor/latest/ug/ad-behavior.html) .", "Bumper": "The configuration for bumpers. Bumpers are short audio or video clips that play at the start or before the end of an ad break. To learn more about bumpers, see [Bumpers](https://docs.aws.amazon.com/mediatailor/latest/ug/bumpers.html) .", @@ -30352,6 +30881,9 @@ "TranscodeProfileName": "The name that is used to associate this playback configuration with a custom transcode profile. This overrides the dynamic transcoding defaults of MediaTailor. Use this only if you have already set up custom profiles with the help of AWS Support.", "VideoContentSourceUrl": "The URL prefix for the parent manifest for the stream, minus the asset ID. The maximum length is 512 characters." }, + "AWS::MediaTailor::PlaybackConfiguration AdConditioningConfiguration": { + "StreamingMediaFileConditioning": "For ads that have media files with streaming delivery and supported file extensions, indicates what transcoding action MediaTailor takes when it first receives these ads from the ADS. `TRANSCODE` indicates that MediaTailor must transcode the ads. `NONE` indicates that you have already transcoded the ads outside of MediaTailor and don't need them transcoded as part of the ad insertion workflow. For more information about ad conditioning see [Using preconditioned ads](https://docs.aws.amazon.com/mediatailor/latest/ug/precondition-ads.html) in the AWS Elemental MediaTailor user guide." + }, "AWS::MediaTailor::PlaybackConfiguration AdMarkerPassthrough": { "Enabled": "Enables ad marker passthrough for your configuration." }, @@ -30658,7 +31190,7 @@ "FirewallPolicyArn": "The Amazon Resource Name (ARN) of the firewall policy.\n\nThe relationship of firewall to firewall policy is many to one. Each firewall requires one firewall policy association, and you can use the same firewall policy for multiple firewalls.", "FirewallPolicyChangeProtection": "A setting indicating whether the firewall is protected against a change to the firewall policy association. Use this setting to protect against accidentally modifying the firewall policy for a firewall that is in use. When you create a firewall, the operation initializes this setting to `TRUE` .", "SubnetChangeProtection": "A setting indicating whether the firewall is protected against changes to the subnet associations. Use this setting to protect against accidentally modifying the subnet associations for a firewall that is in use. When you create a firewall, the operation initializes this setting to `TRUE` .", - "SubnetMappings": "The public subnets that Network Firewall is using for the firewall. Each subnet must belong to a different Availability Zone.", + "SubnetMappings": "The primary public subnets that Network Firewall is using for the firewall. Network Firewall creates a firewall endpoint in each subnet. Create a subnet mapping for each Availability Zone where you want to use the firewall.\n\nThese subnets are all defined for a single, primary VPC, and each must belong to a different Availability Zone. Each of these subnets establishes the availability of the firewall in its Availability Zone.\n\nIn addition to these subnets, you can define other endpoints for the firewall in `VpcEndpointAssociation` resources. You can define these additional endpoints for any VPC, and for any of the Availability Zones where the firewall resource already has a subnet mapping. VPC endpoint associations give you the ability to protect multiple VPCs using a single firewall, and to define multiple firewall endpoints for a VPC in a single Availability Zone.", "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", "VpcId": "The unique identifier of the VPC where the firewall is in use. You can't change the VPC of a firewall after you create the firewall." }, @@ -30892,6 +31424,21 @@ "Key": "The part of the key:value pair that defines a tag. You can use a tag key to describe a category of information, such as \"customer.\" Tag keys are case-sensitive.", "Value": "The part of the key:value pair that defines a tag. You can use a tag value to describe a specific value within a category, such as \"companyA\" or \"companyB.\" Tag values are case-sensitive." }, + "AWS::NetworkFirewall::VpcEndpointAssociation": { + "Description": "A description of the VPC endpoint association.", + "FirewallArn": "The Amazon Resource Name (ARN) of the firewall.", + "SubnetMapping": "The ID for a subnet that's used in an association with a firewall. This is used in `CreateFirewall` , `AssociateSubnets` , and `CreateVpcEndpointAssociation` . AWS Network Firewall creates an instance of the associated firewall in each subnet that you specify, to filter traffic in the subnet's Availability Zone.", + "Tags": "The key:value pairs to associate with the resource.", + "VpcId": "The unique identifier of the VPC for the endpoint association." + }, + "AWS::NetworkFirewall::VpcEndpointAssociation SubnetMapping": { + "IPAddressType": "The subnet's IP address type. You can't change the IP address type after you create the subnet.", + "SubnetId": "The unique identifier for the subnet." + }, + "AWS::NetworkFirewall::VpcEndpointAssociation Tag": { + "Key": "The part of the key:value pair that defines a tag. You can use a tag key to describe a category of information, such as \"customer.\" Tag keys are case-sensitive.", + "Value": "The part of the key:value pair that defines a tag. You can use a tag value to describe a specific value within a category, such as \"companyA\" or \"companyB.\" Tag values are case-sensitive." + }, "AWS::NetworkManager::ConnectAttachment": { "CoreNetworkId": "The ID of the core network where the Connect attachment is located.", "EdgeLocation": "The Region where the edge is located.", @@ -31161,121 +31708,6 @@ "ApplianceModeSupport": "Indicates whether appliance mode is supported. If enabled, traffic flow between a source and destination use the same Availability Zone for the VPC attachment for the lifetime of that flow. The default value is `false` .", "Ipv6Support": "Indicates whether IPv6 is supported." }, - "AWS::NimbleStudio::LaunchProfile": { - "Description": "A human-readable description of the launch profile.", - "Ec2SubnetIds": "Unique identifiers for a collection of EC2 subnets.", - "LaunchProfileProtocolVersions": "The version number of the protocol that is used by the launch profile. The only valid version is \"2021-03-31\".", - "Name": "A friendly name for the launch profile.", - "StreamConfiguration": "A configuration for a streaming session.", - "StudioComponentIds": "Unique identifiers for a collection of studio components that can be used with this launch profile.", - "StudioId": "The unique identifier for a studio resource. In Nimble Studio, all other resources are contained in a studio resource.", - "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." - }, - "AWS::NimbleStudio::LaunchProfile StreamConfiguration": { - "AutomaticTerminationMode": "Indicates if a streaming session created from this launch profile should be terminated automatically or retained without termination after being in a `STOPPED` state.\n\n- When `ACTIVATED` , the streaming session is scheduled for termination after being in the `STOPPED` state for the time specified in `maxStoppedSessionLengthInMinutes` .\n- When `DEACTIVATED` , the streaming session can remain in the `STOPPED` state indefinitely.\n\nThis parameter is only allowed when `sessionPersistenceMode` is `ACTIVATED` . When allowed, the default value for this parameter is `DEACTIVATED` .", - "ClipboardMode": "Allows or deactivates the use of the system clipboard to copy and paste between the streaming session and streaming client.", - "Ec2InstanceTypes": "The EC2 instance types that users can select from when launching a streaming session with this launch profile.", - "MaxSessionLengthInMinutes": "The length of time, in minutes, that a streaming session can be active before it is stopped or terminated. After this point, Nimble Studio automatically terminates or stops the session. The default length of time is 690 minutes, and the maximum length of time is 30 days.", - "MaxStoppedSessionLengthInMinutes": "Integer that determines if you can start and stop your sessions and how long a session can stay in the `STOPPED` state. The default value is 0. The maximum value is 5760.\n\nThis field is allowed only when `sessionPersistenceMode` is `ACTIVATED` and `automaticTerminationMode` is `ACTIVATED` .\n\nIf the value is set to 0, your sessions can\u2019t be `STOPPED` . If you then call `StopStreamingSession` , the session fails. If the time that a session stays in the `READY` state exceeds the `maxSessionLengthInMinutes` value, the session will automatically be terminated (instead of `STOPPED` ).\n\nIf the value is set to a positive number, the session can be stopped. You can call `StopStreamingSession` to stop sessions in the `READY` state. If the time that a session stays in the `READY` state exceeds the `maxSessionLengthInMinutes` value, the session will automatically be stopped (instead of terminated).", - "SessionBackup": "Information about the streaming session backup.", - "SessionPersistenceMode": "Determine if a streaming session created from this launch profile can configure persistent storage. This means that `volumeConfiguration` and `automaticTerminationMode` are configured.", - "SessionStorage": "The upload storage for a streaming session.", - "StreamingImageIds": "The streaming images that users can select from when launching a streaming session with this launch profile.", - "VolumeConfiguration": "Custom volume configuration for the root volumes that are attached to streaming sessions.\n\nThis parameter is only allowed when `sessionPersistenceMode` is `ACTIVATED` ." - }, - "AWS::NimbleStudio::LaunchProfile StreamConfigurationSessionBackup": { - "MaxBackupsToRetain": "The maximum number of backups that each streaming session created from this launch profile can have.", - "Mode": "Specifies how artists sessions are backed up.\n\nConfigures backups for streaming sessions launched with this launch profile. The default value is `DEACTIVATED` , which means that backups are deactivated. To allow backups, set this value to `AUTOMATIC` ." - }, - "AWS::NimbleStudio::LaunchProfile StreamConfigurationSessionStorage": { - "Mode": "Allows artists to upload files to their workstations. The only valid option is `UPLOAD` .", - "Root": "The configuration for the upload storage root of the streaming session." - }, - "AWS::NimbleStudio::LaunchProfile StreamingSessionStorageRoot": { - "Linux": "The folder path in Linux workstations where files are uploaded.", - "Windows": "The folder path in Windows workstations where files are uploaded." - }, - "AWS::NimbleStudio::LaunchProfile VolumeConfiguration": { - "Iops": "The number of I/O operations per second for the root volume that is attached to streaming session.", - "Size": "The size of the root volume that is attached to the streaming session. The root volume size is measured in GiBs.", - "Throughput": "The throughput to provision for the root volume that is attached to the streaming session. The throughput is measured in MiB/s." - }, - "AWS::NimbleStudio::StreamingImage": { - "Description": "A human-readable description of the streaming image.", - "Ec2ImageId": "The ID of an EC2 machine image with which to create the streaming image.", - "EncryptionConfigurationKeyArn": "", - "EncryptionConfigurationKeyType": "", - "Name": "A friendly name for a streaming image resource.", - "StudioId": "The unique identifier for a studio resource. In Nimble Studio, all other resources are contained in a studio resource.", - "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." - }, - "AWS::NimbleStudio::StreamingImage StreamingImageEncryptionConfiguration": { - "KeyArn": "The ARN for a KMS key that is used to encrypt studio data.", - "KeyType": "The type of KMS key that is used to encrypt studio data." - }, - "AWS::NimbleStudio::Studio": { - "AdminRoleArn": "The IAM role that studio admins assume when logging in to the Nimble Studio portal.", - "DisplayName": "A friendly name for the studio.", - "StudioEncryptionConfiguration": "Configuration of the encryption method that is used for the studio.", - "StudioName": "The name of the studio, as included in the URL when accessing it in the Nimble Studio portal.", - "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", - "UserRoleArn": "The IAM role that studio users assume when logging in to the Nimble Studio portal." - }, - "AWS::NimbleStudio::Studio StudioEncryptionConfiguration": { - "KeyArn": "The ARN for a KMS key that is used to encrypt studio data.", - "KeyType": "The type of KMS key that is used to encrypt studio data." - }, - "AWS::NimbleStudio::StudioComponent": { - "Configuration": "The configuration of the studio component, based on component type.", - "Description": "A human-readable description for the studio component resource.", - "Ec2SecurityGroupIds": "The EC2 security groups that control access to the studio component.", - "InitializationScripts": "Initialization scripts for studio components.", - "Name": "A friendly name for the studio component resource.", - "ScriptParameters": "Parameters for the studio component scripts.", - "StudioId": "The unique identifier for a studio resource. In Nimble Studio, all other resources are contained in a studio resource.", - "Subtype": "The specific subtype of a studio component.", - "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", - "Type": "The type of the studio component." - }, - "AWS::NimbleStudio::StudioComponent ActiveDirectoryComputerAttribute": { - "Name": "The name for the LDAP attribute.", - "Value": "The value for the LDAP attribute." - }, - "AWS::NimbleStudio::StudioComponent ActiveDirectoryConfiguration": { - "ComputerAttributes": "A collection of custom attributes for an Active Directory computer.", - "DirectoryId": "The directory ID of the AWS Directory Service for Microsoft Active Directory to access using this studio component.", - "OrganizationalUnitDistinguishedName": "The distinguished name (DN) and organizational unit (OU) of an Active Directory computer." - }, - "AWS::NimbleStudio::StudioComponent ComputeFarmConfiguration": { - "ActiveDirectoryUser": "The name of an Active Directory user that is used on ComputeFarm worker instances.", - "Endpoint": "The endpoint of the ComputeFarm that is accessed by the studio component resource." - }, - "AWS::NimbleStudio::StudioComponent LicenseServiceConfiguration": { - "Endpoint": "The endpoint of the license service that is accessed by the studio component resource." - }, - "AWS::NimbleStudio::StudioComponent ScriptParameterKeyValue": { - "Key": "A script parameter key.", - "Value": "A script parameter value." - }, - "AWS::NimbleStudio::StudioComponent SharedFileSystemConfiguration": { - "Endpoint": "The endpoint of the shared file system that is accessed by the studio component resource.", - "FileSystemId": "The unique identifier for a file system.", - "LinuxMountPoint": "The mount location for a shared file system on a Linux virtual workstation.", - "ShareName": "The name of the file share.", - "WindowsMountDrive": "The mount location for a shared file system on a Windows virtual workstation." - }, - "AWS::NimbleStudio::StudioComponent StudioComponentConfiguration": { - "ActiveDirectoryConfiguration": "The configuration for a AWS Directory Service for Microsoft Active Directory studio resource.", - "ComputeFarmConfiguration": "The configuration for a render farm that is associated with a studio resource.", - "LicenseServiceConfiguration": "The configuration for a license service that is associated with a studio resource.", - "SharedFileSystemConfiguration": "The configuration for a shared file storage system that is associated with a studio resource." - }, - "AWS::NimbleStudio::StudioComponent StudioComponentInitializationScript": { - "LaunchProfileProtocolVersion": "The version number of the protocol that is used by the launch profile. The only valid version is \"2021-03-31\".", - "Platform": "The platform of the initialization script, either Windows or Linux.", - "RunContext": "The method to use when running the initialization script.", - "Script": "The initialization script." - }, "AWS::Notifications::ChannelAssociation": { "Arn": "The Amazon Resource Name (ARN) of the `Channel` .", "NotificationConfigurationArn": "The ARN of the `NotificationConfiguration` associated with the `Channel` ." @@ -31377,18 +31809,18 @@ "VpcEndpointManagement": "Defines whether you or Amazon OpenSearch Ingestion service create and manage the VPC endpoint configured for the pipeline." }, "AWS::Oam::Link": { - "LabelTemplate": "Specify a friendly human-readable name to use to identify this source account when you are viewing data from it in the monitoring account.\n\nYou can include the following variables in your template:\n\n- `$AccountName` is the name of the account\n- `$AccountEmail` is a globally-unique email address, which includes the email domain, such as `mariagarcia@example.com`\n- `$AccountEmailNoDomain` is an email address without the domain name, such as `mariagarcia`", + "LabelTemplate": "Specify a friendly human-readable name to use to identify this source account when you are viewing data from it in the monitoring account.\n\nYou can include the following variables in your template:\n\n- `$AccountName` is the name of the account\n- `$AccountEmail` is a globally-unique email address, which includes the email domain, such as `mariagarcia@example.com`\n- `$AccountEmailNoDomain` is an email address without the domain name, such as `mariagarcia`\n\n> In the and Regions, the only supported option is to use custom labels, and the `$AccountName` , `$AccountEmail` , and `$AccountEmailNoDomain` variables all resolve as *account-id* instead of the specified variable.", "LinkConfiguration": "Use this structure to optionally create filters that specify that only some metric namespaces or log groups are to be shared from the source account to the monitoring account.", - "ResourceTypes": "An array of strings that define which types of data that the source account shares with the monitoring account. Valid values are `AWS::CloudWatch::Metric | AWS::Logs::LogGroup | AWS::XRay::Trace | AWS::ApplicationInsights::Application | AWS::InternetMonitor::Monitor | AWS::ApplicationSignals::Service | AWS::ApplicationSignals::ServiceLevelObjective` .", + "ResourceTypes": "An array of strings that define which types of data that the source account shares with the monitoring account. Valid values are `AWS::CloudWatch::Metric | AWS::Logs::LogGroup | AWS::XRay::Trace | AWS::ApplicationInsights::Application | AWS::InternetMonitor::Monitor` .", "SinkIdentifier": "The ARN of the sink in the monitoring account that you want to link to. You can use [ListSinks](https://docs.aws.amazon.com/OAM/latest/APIReference/API_ListSinks.html) to find the ARNs of sinks.", "Tags": "An array of key-value pairs to apply to the link.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." }, "AWS::Oam::Link LinkConfiguration": { - "LogGroupConfiguration": "Use this structure to filter which log groups are to send log events from the source account to the monitoring account.", + "LogGroupConfiguration": "Use this structure to filter which log groups are to share log events from this source account to the monitoring account.", "MetricConfiguration": "Use this structure to filter which metric namespaces are to be shared from the source account to the monitoring account." }, "AWS::Oam::Link LinkFilter": { - "Filter": "" + "Filter": "When used in `MetricConfiguration` this field specifies which metric namespaces are to be shared with the monitoring account\n\nWhen used in `LogGroupConfiguration` this field specifies which log groups are to share their log events with the monitoring account. Use the term `LogGroupName` and one or more of the following operands.\n\nUse single quotation marks (') around log group names and metric namespaces.\n\nThe matching of log group names and metric namespaces is case sensitive. Each filter has a limit of five conditional operands. Conditional operands are `AND` and `OR` .\n\n- `=` and `!=`\n- `AND`\n- `OR`\n- `LIKE` and `NOT LIKE` . These can be used only as prefix searches. Include a `%` at the end of the string that you want to search for and include.\n- `IN` and `NOT IN` , using parentheses `( )`\n\nExamples:\n\n- `Namespace NOT LIKE 'AWS/%'` includes only namespaces that don't start with `AWS/` , such as custom namespaces.\n- `Namespace IN ('AWS/EC2', 'AWS/ELB', 'AWS/S3')` includes only the metrics in the EC2, Elastic Load Balancing , and Amazon S3 namespaces.\n- `Namespace = 'AWS/EC2' OR Namespace NOT LIKE 'AWS/%'` includes only the EC2 namespace and your custom namespaces.\n- `LogGroupName IN ('This-Log-Group', 'Other-Log-Group')` includes only the log groups with names `This-Log-Group` and `Other-Log-Group` .\n- `LogGroupName NOT IN ('Private-Log-Group', 'Private-Log-Group-2')` includes all log groups except the log groups with names `Private-Log-Group` and `Private-Log-Group-2` .\n- `LogGroupName LIKE 'aws/lambda/%' OR LogGroupName LIKE 'AWSLogs%'` includes all log groups that have names that start with `aws/lambda/` or `AWSLogs` .\n\n> If you are updating a link that uses filters, you can specify `*` as the only value for the `filter` parameter to delete the filter and share all log groups with the monitoring account." }, "AWS::Oam::Sink": { "Name": "A name for the sink.", @@ -31475,12 +31907,31 @@ "Name": "The workflow's name.", "ParameterTemplate": "The workflow's parameter template.", "StorageCapacity": "The default static storage capacity (in gibibytes) for runs that use this workflow or workflow version.", + "StorageType": "", "Tags": "Tags for the workflow." }, "AWS::Omics::Workflow WorkflowParameter": { "Description": "The parameter's description.", "Optional": "Whether the parameter is optional." }, + "AWS::Omics::WorkflowVersion": { + "Accelerators": "", + "DefinitionUri": "", + "Description": "The description of the workflow version.", + "Engine": "", + "Main": "", + "ParameterTemplate": "", + "StorageCapacity": "", + "StorageType": "", + "Tags": "", + "VersionName": "The name of the workflow version.", + "WorkflowBucketOwnerId": "", + "WorkflowId": "The workflow's ID." + }, + "AWS::Omics::WorkflowVersion WorkflowParameter": { + "Description": "The parameter's description.", + "Optional": "Whether the parameter is optional." + }, "AWS::OpenSearchServerless::AccessPolicy": { "Description": "The description of the policy.", "Name": "The name of the policy.", @@ -32302,6 +32753,10 @@ "SlurmConfiguration": "Additional options related to the Slurm scheduler.", "Tags": "1 or more tags added to the resource. Each tag consists of a tag key and tag value. The tag value is optional and can be an empty string." }, + "AWS::PCS::Cluster Accounting": { + "DefaultPurgeTimeInDays": "The default value for all purge settings for `slurmdbd.conf` . For more information, see the [slurmdbd.conf documentation at SchedMD](https://docs.aws.amazon.com/https://slurm.schedmd.com/slurmdbd.conf.html) .\n\nThe default value `-1` means there is no purge time and records persist as long as the cluster exists.\n\n> `0` isn't a valid value.", + "Mode": "The default value for `mode` is `STANDARD` . A value of `STANDARD` means Slurm accounting is enabled." + }, "AWS::PCS::Cluster AuthKey": { "SecretArn": "The Amazon Resource Name (ARN) of the shared Slurm key.", "SecretVersion": "The version of the shared Slurm key." @@ -32325,6 +32780,7 @@ "Version": "The version of the specified scheduling software that AWS PCS uses to manage cluster scaling and job scheduling." }, "AWS::PCS::Cluster SlurmConfiguration": { + "Accounting": "The accounting configuration includes configurable settings for Slurm accounting.", "AuthKey": "The shared Slurm key for authentication, also known as the cluster secret.", "ScaleDownIdleTimeInSeconds": "The time before an idle node is scaled down.", "SlurmCustomSettings": "Additional Slurm-specific configuration that directly maps to Slurm settings." @@ -35954,7 +36410,7 @@ }, "AWS::QuickSight::Analysis ResourcePermission": { "Actions": "The IAM action to grant or revoke permissions on.", - "Principal": "The Amazon Resource Name (ARN) of the principal. This can be one of the following:\n\n- The ARN of an Amazon QuickSight user or group associated with a data source or dataset. (This is common.)\n- The ARN of an Amazon QuickSight user, group, or namespace associated with an analysis, dashboard, template, or theme. (This is common.)\n- The ARN of an AWS account root: This is an IAM ARN rather than a Amazon QuickSight ARN. Use this option only to share resources (templates) across AWS accounts . (This is less common.)" + "Principal": "The Amazon Resource Name (ARN) of the principal. This can be one of the following:\n\n- The ARN of an Amazon QuickSight user or group associated with a data source or dataset. (This is common.)\n- The ARN of an Amazon QuickSight user, group, or namespace associated with an analysis, dashboard, template, or theme. (This is common.)\n- The ARN of an AWS account root: This is an IAM ARN rather than a QuickSight ARN. Use this option only to share resources (templates) across AWS accounts . (This is less common.)" }, "AWS::QuickSight::Analysis RollingDateConfiguration": { "DataSetIdentifier": "The data set that is used in the rolling date configuration.", @@ -38996,7 +39452,7 @@ }, "AWS::QuickSight::Dashboard ResourcePermission": { "Actions": "The IAM action to grant or revoke permissions on.", - "Principal": "The Amazon Resource Name (ARN) of the principal. This can be one of the following:\n\n- The ARN of an Amazon QuickSight user or group associated with a data source or dataset. (This is common.)\n- The ARN of an Amazon QuickSight user, group, or namespace associated with an analysis, dashboard, template, or theme. (This is common.)\n- The ARN of an AWS account root: This is an IAM ARN rather than a Amazon QuickSight ARN. Use this option only to share resources (templates) across AWS accounts . (This is less common.)" + "Principal": "The Amazon Resource Name (ARN) of the principal. This can be one of the following:\n\n- The ARN of an Amazon QuickSight user or group associated with a data source or dataset. (This is common.)\n- The ARN of an Amazon QuickSight user, group, or namespace associated with an analysis, dashboard, template, or theme. (This is common.)\n- The ARN of an AWS account root: This is an IAM ARN rather than a QuickSight ARN. Use this option only to share resources (templates) across AWS accounts . (This is less common.)" }, "AWS::QuickSight::Dashboard RollingDateConfiguration": { "DataSetIdentifier": "The data set that is used in the rolling date configuration.", @@ -39793,7 +40249,7 @@ }, "AWS::QuickSight::DataSet ColumnLevelPermissionRule": { "ColumnNames": "An array of column names.", - "Principals": "An array of Amazon Resource Names (ARNs) for Amazon QuickSight users or groups." + "Principals": "An array of Amazon Resource Names (ARNs) for QuickSight users or groups." }, "AWS::QuickSight::DataSet ColumnTag": { "ColumnDescription": "A description for a column.", @@ -39883,7 +40339,7 @@ "Type": "The type of join that it is." }, "AWS::QuickSight::DataSet JoinKeyProperties": { - "UniqueKey": "A value that indicates that a row in a table is uniquely identified by the columns in a join key. This is used by Amazon QuickSight to optimize query performance." + "UniqueKey": "A value that indicates that a row in a table is uniquely identified by the columns in a join key. This is used by QuickSight to optimize query performance." }, "AWS::QuickSight::DataSet LogicalTable": { "Alias": "A display name for the logical table.", @@ -39950,7 +40406,7 @@ }, "AWS::QuickSight::DataSet ResourcePermission": { "Actions": "The IAM action to grant or revoke permisions on", - "Principal": "The Amazon Resource Name (ARN) of the principal. This can be one of the following:\n\n- The ARN of an Amazon QuickSight user or group associated with a data source or dataset. (This is common.)\n- The ARN of an Amazon QuickSight user, group, or namespace associated with an analysis, dashboard, template, or theme. (This is common.)\n- The ARN of an AWS account root: This is an IAM ARN rather than a Amazon QuickSight ARN. Use this option only to share resources (templates) across AWS accounts . (This is less common.)" + "Principal": "The Amazon Resource Name (ARN) of the principal. This can be one of the following:\n\n- The ARN of an Amazon QuickSight user or group associated with a data source or dataset. (This is common.)\n- The ARN of an Amazon QuickSight user, group, or namespace associated with an analysis, dashboard, template, or theme. (This is common.)\n- The ARN of an AWS account root: This is an IAM ARN rather than a QuickSight ARN. Use this option only to share resources (templates) across AWS accounts . (This is less common.)" }, "AWS::QuickSight::DataSet RowLevelPermissionDataSet": { "Arn": "The Amazon Resource Name (ARN) of the dataset that contains permissions for RLS.", @@ -40150,7 +40606,7 @@ }, "AWS::QuickSight::DataSource ResourcePermission": { "Actions": "The IAM action to grant or revoke permissions on.", - "Principal": "The Amazon Resource Name (ARN) of the principal. This can be one of the following:\n\n- The ARN of an Amazon QuickSight user or group associated with a data source or dataset. (This is common.)\n- The ARN of an Amazon QuickSight user, group, or namespace associated with an analysis, dashboard, template, or theme. (This is common.)\n- The ARN of an AWS account root: This is an IAM ARN rather than a Amazon QuickSight ARN. Use this option only to share resources (templates) across AWS accounts . (This is less common.)", + "Principal": "The Amazon Resource Name (ARN) of the principal. This can be one of the following:\n\n- The ARN of an Amazon QuickSight user or group associated with a data source or dataset. (This is common.)\n- The ARN of an Amazon QuickSight user, group, or namespace associated with an analysis, dashboard, template, or theme. (This is common.)\n- The ARN of an AWS account root: This is an IAM ARN rather than a QuickSight ARN. Use this option only to share resources (templates) across AWS accounts . (This is less common.)", "Resource": "" }, "AWS::QuickSight::DataSource S3Parameters": { @@ -40231,7 +40687,7 @@ "DayOfWeek": "The day of the week that you want to schedule the refresh on. This value is required for weekly and monthly refresh intervals." }, "AWS::QuickSight::RefreshSchedule RefreshScheduleMap": { - "RefreshType": "The type of refresh that a dataset undergoes. Valid values are as follows:\n\n- `FULL_REFRESH` : A complete refresh of a dataset.\n- `INCREMENTAL_REFRESH` : A partial refresh of some rows of a dataset, based on the time window specified.\n\nFor more information on full and incremental refreshes, see [Refreshing SPICE data](https://docs.aws.amazon.com/quicksight/latest/user/refreshing-imported-data.html) in the *Amazon QuickSight User Guide* .", + "RefreshType": "The type of refresh that a dataset undergoes. Valid values are as follows:\n\n- `FULL_REFRESH` : A complete refresh of a dataset.\n- `INCREMENTAL_REFRESH` : A partial refresh of some rows of a dataset, based on the time window specified.\n\nFor more information on full and incremental refreshes, see [Refreshing SPICE data](https://docs.aws.amazon.com/quicksight/latest/user/refreshing-imported-data.html) in the *QuickSight User Guide* .", "ScheduleFrequency": "The frequency for the refresh schedule.", "ScheduleId": "An identifier for the refresh schedule.", "StartAfterDateTime": "Time after which the refresh schedule can be started, expressed in `YYYY-MM-DDTHH:MM:SS` format." @@ -42279,7 +42735,7 @@ }, "AWS::QuickSight::Template ResourcePermission": { "Actions": "The IAM action to grant or revoke permissions on.", - "Principal": "The Amazon Resource Name (ARN) of the principal. This can be one of the following:\n\n- The ARN of an Amazon QuickSight user or group associated with a data source or dataset. (This is common.)\n- The ARN of an Amazon QuickSight user, group, or namespace associated with an analysis, dashboard, template, or theme. (This is common.)\n- The ARN of an AWS account root: This is an IAM ARN rather than a Amazon QuickSight ARN. Use this option only to share resources (templates) across AWS accounts . (This is less common.)" + "Principal": "The Amazon Resource Name (ARN) of the principal. This can be one of the following:\n\n- The ARN of an Amazon QuickSight user or group associated with a data source or dataset. (This is common.)\n- The ARN of an Amazon QuickSight user, group, or namespace associated with an analysis, dashboard, template, or theme. (This is common.)\n- The ARN of an AWS account root: This is an IAM ARN rather than a QuickSight ARN. Use this option only to share resources (templates) across AWS accounts . (This is less common.)" }, "AWS::QuickSight::Template RollingDateConfiguration": { "DataSetIdentifier": "The data set that is used in the rolling date configuration.", @@ -43068,7 +43524,7 @@ }, "AWS::QuickSight::Theme ResourcePermission": { "Actions": "The IAM action to grant or revoke permissions on.", - "Principal": "The Amazon Resource Name (ARN) of the principal. This can be one of the following:\n\n- The ARN of an Amazon QuickSight user or group associated with a data source or dataset. (This is common.)\n- The ARN of an Amazon QuickSight user, group, or namespace associated with an analysis, dashboard, template, or theme. (This is common.)\n- The ARN of an AWS account root: This is an IAM ARN rather than a Amazon QuickSight ARN. Use this option only to share resources (templates) across AWS accounts . (This is less common.)" + "Principal": "The Amazon Resource Name (ARN) of the principal. This can be one of the following:\n\n- The ARN of an Amazon QuickSight user or group associated with a data source or dataset. (This is common.)\n- The ARN of an Amazon QuickSight user, group, or namespace associated with an analysis, dashboard, template, or theme. (This is common.)\n- The ARN of an AWS account root: This is an IAM ARN rather than a QuickSight ARN. Use this option only to share resources (templates) across AWS accounts . (This is less common.)" }, "AWS::QuickSight::Theme SheetStyle": { "Tile": "The display options for tiles.", @@ -43377,7 +43833,7 @@ "AWS::RDS::DBCluster": { "AllocatedStorage": "The amount of storage in gibibytes (GiB) to allocate to each DB instance in the Multi-AZ DB cluster.\n\nValid for Cluster Type: Multi-AZ DB clusters only\n\nThis setting is required to create a Multi-AZ DB cluster.", "AssociatedRoles": "Provides a list of the AWS Identity and Access Management (IAM) roles that are associated with the DB cluster. IAM roles that are associated with a DB cluster grant permission for the DB cluster to access other Amazon Web Services on your behalf.\n\nValid for: Aurora DB clusters and Multi-AZ DB clusters", - "AutoMinorVersionUpgrade": "Specifies whether minor engine upgrades are applied automatically to the DB cluster during the maintenance window. By default, minor engine upgrades are applied automatically.\n\nValid for Cluster Type: Aurora DB clusters and Multi-AZ DB cluster", + "AutoMinorVersionUpgrade": "Specifies whether minor engine upgrades are applied automatically to the DB cluster during the maintenance window. By default, minor engine upgrades are applied automatically.\n\nValid for Cluster Type: Aurora DB clusters and Multi-AZ DB cluster.\n\nFor more information about automatic minor version upgrades, see [Automatically upgrading the minor engine version](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_UpgradeDBInstance.Upgrading.html#USER_UpgradeDBInstance.Upgrading.AutoMinorVersionUpgrades) .", "AvailabilityZones": "A list of Availability Zones (AZs) where instances in the DB cluster can be created. For information on AWS Regions and Availability Zones, see [Choosing the Regions and Availability Zones](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Concepts.RegionsAndAvailabilityZones.html) in the *Amazon Aurora User Guide* .\n\nValid for: Aurora DB clusters only", "BacktrackWindow": "The target backtrack window, in seconds. To disable backtracking, set this value to `0` .\n\nValid for Cluster Type: Aurora MySQL DB clusters only\n\nDefault: `0`\n\nConstraints:\n\n- If specified, this value must be set to a number from 0 to 259,200 (72 hours).", "BackupRetentionPeriod": "The number of days for which automated backups are retained.\n\nDefault: 1\n\nConstraints:\n\n- Must be a value from 1 to 35\n\nValid for: Aurora DB clusters and Multi-AZ DB clusters", @@ -43400,7 +43856,7 @@ "EnableIAMDatabaseAuthentication": "A value that indicates whether to enable mapping of AWS Identity and Access Management (IAM) accounts to database accounts. By default, mapping is disabled.\n\nFor more information, see [IAM Database Authentication](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.IAMDBAuth.html) in the *Amazon Aurora User Guide.*\n\nValid for: Aurora DB clusters only", "EnableLocalWriteForwarding": "Specifies whether read replicas can forward write operations to the writer DB instance in the DB cluster. By default, write operations aren't allowed on reader DB instances.\n\nValid for: Aurora DB clusters only", "Engine": "The name of the database engine to be used for this DB cluster.\n\nValid Values:\n\n- `aurora-mysql`\n- `aurora-postgresql`\n- `mysql`\n- `postgres`\n\nValid for: Aurora DB clusters and Multi-AZ DB clusters", - "EngineLifecycleSupport": "The life cycle type for this DB cluster.\n\n> By default, this value is set to `open-source-rds-extended-support` , which enrolls your DB cluster into Amazon RDS Extended Support. At the end of standard support, you can avoid charges for Extended Support by setting the value to `open-source-rds-extended-support-disabled` . In this case, creating the DB cluster will fail if the DB major version is past its end of standard support date. \n\nYou can use this setting to enroll your DB cluster into Amazon RDS Extended Support. With RDS Extended Support, you can run the selected major engine version on your DB cluster past the end of standard support for that engine version. For more information, see the following sections:\n\n- Amazon Aurora - [Using Amazon RDS Extended Support](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/extended-support.html) in the *Amazon Aurora User Guide*\n- Amazon RDS - [Using Amazon RDS Extended Support](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/extended-support.html) in the *Amazon RDS User Guide*\n\nValid for Cluster Type: Aurora DB clusters and Multi-AZ DB clusters\n\nValid Values: `open-source-rds-extended-support | open-source-rds-extended-support-disabled`\n\nDefault: `open-source-rds-extended-support`", + "EngineLifecycleSupport": "The life cycle type for this DB cluster.\n\n> By default, this value is set to `open-source-rds-extended-support` , which enrolls your DB cluster into Amazon RDS Extended Support. At the end of standard support, you can avoid charges for Extended Support by setting the value to `open-source-rds-extended-support-disabled` . In this case, creating the DB cluster will fail if the DB major version is past its end of standard support date. \n\nYou can use this setting to enroll your DB cluster into Amazon RDS Extended Support. With RDS Extended Support, you can run the selected major engine version on your DB cluster past the end of standard support for that engine version. For more information, see the following sections:\n\n- Amazon Aurora - [Amazon RDS Extended Support with Amazon Aurora](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/extended-support.html) in the *Amazon Aurora User Guide*\n- Amazon RDS - [Amazon RDS Extended Support with Amazon RDS](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/extended-support.html) in the *Amazon RDS User Guide*\n\nValid for Cluster Type: Aurora DB clusters and Multi-AZ DB clusters\n\nValid Values: `open-source-rds-extended-support | open-source-rds-extended-support-disabled`\n\nDefault: `open-source-rds-extended-support`", "EngineMode": "The DB engine mode of the DB cluster, either `provisioned` or `serverless` .\n\nThe `serverless` engine mode only applies for Aurora Serverless v1 DB clusters. Aurora Serverless v2 DB clusters use the `provisioned` engine mode.\n\nFor information about limitations and requirements for Serverless DB clusters, see the following sections in the *Amazon Aurora User Guide* :\n\n- [Limitations of Aurora Serverless v1](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-serverless.html#aurora-serverless.limitations)\n- [Requirements for Aurora Serverless v2](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-serverless-v2.requirements.html)\n\nValid for Cluster Type: Aurora DB clusters only", "EngineVersion": "The version number of the database engine to use.\n\nTo list all of the available engine versions for Aurora MySQL version 2 (5.7-compatible) and version 3 (8.0-compatible), use the following command:\n\n`aws rds describe-db-engine-versions --engine aurora-mysql --query \"DBEngineVersions[].EngineVersion\"`\n\nYou can supply either `5.7` or `8.0` to use the default engine version for Aurora MySQL version 2 or version 3, respectively.\n\nTo list all of the available engine versions for Aurora PostgreSQL, use the following command:\n\n`aws rds describe-db-engine-versions --engine aurora-postgresql --query \"DBEngineVersions[].EngineVersion\"`\n\nTo list all of the available engine versions for RDS for MySQL, use the following command:\n\n`aws rds describe-db-engine-versions --engine mysql --query \"DBEngineVersions[].EngineVersion\"`\n\nTo list all of the available engine versions for RDS for PostgreSQL, use the following command:\n\n`aws rds describe-db-engine-versions --engine postgres --query \"DBEngineVersions[].EngineVersion\"`\n\n*Aurora MySQL*\n\nFor information, see [Database engine updates for Amazon Aurora MySQL](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Updates.html) in the *Amazon Aurora User Guide* .\n\n*Aurora PostgreSQL*\n\nFor information, see [Amazon Aurora PostgreSQL releases and engine versions](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraPostgreSQL.Updates.20180305.html) in the *Amazon Aurora User Guide* .\n\n*MySQL*\n\nFor information, see [Amazon RDS for MySQL](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_MySQL.html#MySQL.Concepts.VersionMgmt) in the *Amazon RDS User Guide* .\n\n*PostgreSQL*\n\nFor information, see [Amazon RDS for PostgreSQL](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_PostgreSQL.html#PostgreSQL.Concepts) in the *Amazon RDS User Guide* .\n\nValid for: Aurora DB clusters and Multi-AZ DB clusters", "GlobalClusterIdentifier": "If you are configuring an Aurora global database cluster and want your Aurora DB cluster to be a secondary member in the global database cluster, specify the global cluster ID of the global database cluster. To define the primary database cluster of the global cluster, use the [AWS::RDS::GlobalCluster](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-globalcluster.html) resource.\n\nIf you aren't configuring a global database cluster, don't specify this property.\n\n> To remove the DB cluster from a global database cluster, specify an empty value for the `GlobalClusterIdentifier` property. \n\nFor information about Aurora global databases, see [Working with Amazon Aurora Global Databases](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-global-database.html) in the *Amazon Aurora User Guide* .\n\nValid for: Aurora DB clusters only", @@ -43517,7 +43973,7 @@ "EnableIAMDatabaseAuthentication": "A value that indicates whether to enable mapping of AWS Identity and Access Management (IAM) accounts to database accounts. By default, mapping is disabled.\n\nThis property is supported for RDS for MariaDB, RDS for MySQL, and RDS for PostgreSQL. For more information, see [IAM Database Authentication for MariaDB, MySQL, and PostgreSQL](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.html) in the *Amazon RDS User Guide.*\n\n*Amazon Aurora*\n\nNot applicable. Mapping AWS IAM accounts to database accounts is managed by the DB cluster.", "EnablePerformanceInsights": "Specifies whether to enable Performance Insights for the DB instance. For more information, see [Using Amazon Performance Insights](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_PerfInsights.html) in the *Amazon RDS User Guide* .\n\nThis setting doesn't apply to RDS Custom DB instances.", "Engine": "The name of the database engine to use for this DB instance. Not every database engine is available in every AWS Region.\n\nThis property is required when creating a DB instance.\n\n> You can convert an Oracle database from the non-CDB architecture to the container database (CDB) architecture by updating the `Engine` value in your templates from `oracle-ee` to `oracle-ee-cdb` or from `oracle-se2` to `oracle-se2-cdb` . Converting to the CDB architecture requires an interruption. \n\nValid Values:\n\n- `aurora-mysql` (for Aurora MySQL DB instances)\n- `aurora-postgresql` (for Aurora PostgreSQL DB instances)\n- `custom-oracle-ee` (for RDS Custom for Oracle DB instances)\n- `custom-oracle-ee-cdb` (for RDS Custom for Oracle DB instances)\n- `custom-sqlserver-ee` (for RDS Custom for SQL Server DB instances)\n- `custom-sqlserver-se` (for RDS Custom for SQL Server DB instances)\n- `custom-sqlserver-web` (for RDS Custom for SQL Server DB instances)\n- `db2-ae`\n- `db2-se`\n- `mariadb`\n- `mysql`\n- `oracle-ee`\n- `oracle-ee-cdb`\n- `oracle-se2`\n- `oracle-se2-cdb`\n- `postgres`\n- `sqlserver-ee`\n- `sqlserver-se`\n- `sqlserver-ex`\n- `sqlserver-web`", - "EngineLifecycleSupport": "The life cycle type for this DB instance.\n\n> By default, this value is set to `open-source-rds-extended-support` , which enrolls your DB instance into Amazon RDS Extended Support. At the end of standard support, you can avoid charges for Extended Support by setting the value to `open-source-rds-extended-support-disabled` . In this case, creating the DB instance will fail if the DB major version is past its end of standard support date. \n\nThis setting applies only to RDS for MySQL and RDS for PostgreSQL. For Amazon Aurora DB instances, the life cycle type is managed by the DB cluster.\n\nYou can use this setting to enroll your DB instance into Amazon RDS Extended Support. With RDS Extended Support, you can run the selected major engine version on your DB instance past the end of standard support for that engine version. For more information, see [Using Amazon RDS Extended Support](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/extended-support.html) in the *Amazon RDS User Guide* .\n\nValid Values: `open-source-rds-extended-support | open-source-rds-extended-support-disabled`\n\nDefault: `open-source-rds-extended-support`", + "EngineLifecycleSupport": "The life cycle type for this DB instance.\n\n> By default, this value is set to `open-source-rds-extended-support` , which enrolls your DB instance into Amazon RDS Extended Support. At the end of standard support, you can avoid charges for Extended Support by setting the value to `open-source-rds-extended-support-disabled` . In this case, creating the DB instance will fail if the DB major version is past its end of standard support date. \n\nThis setting applies only to RDS for MySQL and RDS for PostgreSQL. For Amazon Aurora DB instances, the life cycle type is managed by the DB cluster.\n\nYou can use this setting to enroll your DB instance into Amazon RDS Extended Support. With RDS Extended Support, you can run the selected major engine version on your DB instance past the end of standard support for that engine version. For more information, see [Amazon RDS Extended Support with Amazon RDS](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/extended-support.html) in the *Amazon RDS User Guide* .\n\nValid Values: `open-source-rds-extended-support | open-source-rds-extended-support-disabled`\n\nDefault: `open-source-rds-extended-support`", "EngineVersion": "The version number of the database engine to use.\n\nFor a list of valid engine versions, use the `DescribeDBEngineVersions` action.\n\nThe following are the database engines and links to information about the major and minor versions that are available with Amazon RDS. Not every database engine is available for every AWS Region.\n\n*Amazon Aurora*\n\nNot applicable. The version number of the database engine to be used by the DB instance is managed by the DB cluster.\n\n*Db2*\n\nSee [Amazon RDS for Db2](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Db2.html#Db2.Concepts.VersionMgmt) in the *Amazon RDS User Guide.*\n\n*MariaDB*\n\nSee [MariaDB on Amazon RDS Versions](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_MariaDB.html#MariaDB.Concepts.VersionMgmt) in the *Amazon RDS User Guide.*\n\n*Microsoft SQL Server*\n\nSee [Microsoft SQL Server Versions on Amazon RDS](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_SQLServer.html#SQLServer.Concepts.General.VersionSupport) in the *Amazon RDS User Guide.*\n\n*MySQL*\n\nSee [MySQL on Amazon RDS Versions](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_MySQL.html#MySQL.Concepts.VersionMgmt) in the *Amazon RDS User Guide.*\n\n*Oracle*\n\nSee [Oracle Database Engine Release Notes](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Appendix.Oracle.PatchComposition.html) in the *Amazon RDS User Guide.*\n\n*PostgreSQL*\n\nSee [Supported PostgreSQL Database Versions](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_PostgreSQL.html#PostgreSQL.Concepts.General.DBVersions) in the *Amazon RDS User Guide.*", "Iops": "The number of I/O operations per second (IOPS) that the database provisions. The value must be equal to or greater than 1000.\n\nIf you specify this property, you must follow the range of allowed ratios of your requested IOPS rate to the amount of storage that you allocate (IOPS to allocated storage). For example, you can provision an Oracle database instance with 1000 IOPS and 200 GiB of storage (a ratio of 5:1), or specify 2000 IOPS with 200 GiB of storage (a ratio of 10:1). For more information, see [Amazon RDS Provisioned IOPS Storage to Improve Performance](https://docs.aws.amazon.com/AmazonRDS/latest/DeveloperGuide/CHAP_Storage.html#USER_PIOPS) in the *Amazon RDS User Guide* .\n\n> If you specify `io1` for the `StorageType` property, then you must also specify the `Iops` property. \n\nConstraints:\n\n- For RDS for Db2, MariaDB, MySQL, Oracle, and PostgreSQL - Must be a multiple between .5 and 50 of the storage amount for the DB instance.\n- For RDS for SQL Server - Must be a multiple between 1 and 50 of the storage amount for the DB instance.", "KmsKeyId": "The ARN of the AWS KMS key that's used to encrypt the DB instance, such as `arn:aws:kms:us-east-1:012345678910:key/abcd1234-a123-456a-a12b-a123b4cd56ef` . If you enable the StorageEncrypted property but don't specify this property, AWS CloudFormation uses the default KMS key. If you specify this property, you must set the StorageEncrypted property to true.\n\nIf you specify the `SourceDBInstanceIdentifier` or `SourceDbiResourceId` property, don't specify this property. The value is inherited from the source DB instance, and if the DB instance is encrypted, the specified `KmsKeyId` property is used. However, if the source DB instance is in a different AWS Region, you must specify a KMS key ID.\n\nIf you specify the `SourceDBInstanceAutomatedBackupsArn` property, don't specify this property. The value is inherited from the source DB instance automated backup, and if the automated backup is encrypted, the specified `KmsKeyId` property is used.\n\nIf you create an encrypted read replica in a different AWS Region, then you must specify a KMS key for the destination AWS Region. KMS encryption keys are specific to the region that they're created in, and you can't use encryption keys from one region in another region.\n\nIf you specify the `DBSnapshotIdentifier` property, don't specify this property. The `StorageEncrypted` property value is inherited from the snapshot. If the DB instance is encrypted, the specified `KmsKeyId` property is also inherited from the snapshot.\n\nIf you specify `DBSecurityGroups` , AWS CloudFormation ignores this property. To specify both a security group and this property, you must use a VPC security group. For more information about Amazon RDS and VPC, see [Using Amazon RDS with Amazon VPC](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.html) in the *Amazon RDS User Guide* .\n\n*Amazon Aurora*\n\nNot applicable. The KMS key identifier is managed by the DB cluster.", @@ -43636,8 +44092,8 @@ "TargetGroupName": "The identifier for the target group.\n\n> Currently, this property must be set to `default` ." }, "AWS::RDS::DBProxyTargetGroup ConnectionPoolConfigurationInfoFormat": { - "ConnectionBorrowTimeout": "The number of seconds for a proxy to wait for a connection to become available in the connection pool. This setting only applies when the proxy has opened its maximum number of connections and all connections are busy with client sessions.\n\nDefault: `120`\n\nConstraints:\n\n- Must be between 0 and 3600.", - "InitQuery": "Add an initialization query, or modify the current one. You can specify one or more SQL statements for the proxy to run when opening each new database connection. The setting is typically used with `SET` statements to make sure that each connection has identical settings. Make sure that the query you add is valid. To include multiple variables in a single `SET` statement, use comma separators.\n\nFor example: `SET variable1=value1, variable2=value2`\n\nFor multiple statements, use semicolons as the separator.\n\nDefault: no initialization query", + "ConnectionBorrowTimeout": "The number of seconds for a proxy to wait for a connection to become available in the connection pool. This setting only applies when the proxy has opened its maximum number of connections and all connections are busy with client sessions.\n\nDefault: `120`\n\nConstraints:\n\n- Must be between 0 and 300.", + "InitQuery": "Add an initialization query, or modify the current one. You can specify one or more SQL statements for the proxy to run when opening each new database connection. The setting is typically used with `SET` statements to make sure that each connection has identical settings. Make sure the query added here is valid. This is an optional field, so you can choose to leave it empty. For including multiple variables in a single SET statement, use a comma separator.\n\nFor example: `SET variable1=value1, variable2=value2`\n\nDefault: no initialization query", "MaxConnectionsPercent": "The maximum size of the connection pool for each target in a target group. The value is expressed as a percentage of the `max_connections` setting for the RDS DB instance or Aurora DB cluster used by the target group.\n\nIf you specify `MaxIdleConnectionsPercent` , then you must also include a value for this parameter.\n\nDefault: `10` for RDS for Microsoft SQL Server, and `100` for all other engines\n\nConstraints:\n\n- Must be between 1 and 100.", "MaxIdleConnectionsPercent": "A value that controls how actively the proxy closes idle database connections in the connection pool. The value is expressed as a percentage of the `max_connections` setting for the RDS DB instance or Aurora DB cluster used by the target group. With a high value, the proxy leaves a high percentage of idle database connections open. A low value causes the proxy to close more idle connections and return them to the database.\n\nIf you specify this parameter, then you must also include a value for `MaxConnectionsPercent` .\n\nDefault: The default value is half of the value of `MaxConnectionsPercent` . For example, if `MaxConnectionsPercent` is 80, then the default value of `MaxIdleConnectionsPercent` is 40. If the value of `MaxConnectionsPercent` isn't specified, then for SQL Server, `MaxIdleConnectionsPercent` is `5` , and for all other engines, the default is `50` .\n\nConstraints:\n\n- Must be between 0 and the value of `MaxConnectionsPercent` .", "SessionPinningFilters": "Each item in the list represents a class of SQL operations that normally cause all later statements in a session using a proxy to be pinned to the same underlying database connection. Including an item in the list exempts that class of SQL operations from the pinning behavior.\n\nDefault: no session pinning filters" @@ -43666,7 +44122,7 @@ "EC2SecurityGroupOwnerId": "AWS account number of the owner of the EC2 security group specified in the `EC2SecurityGroupName` parameter. The AWS access key ID isn't an acceptable value. For VPC DB security groups, `EC2SecurityGroupId` must be provided. Otherwise, `EC2SecurityGroupOwnerId` and either `EC2SecurityGroupName` or `EC2SecurityGroupId` must be provided." }, "AWS::RDS::DBShardGroup": { - "ComputeRedundancy": "Specifies whether to create standby DB shard groups for the DB shard group. Valid values are the following:\n\n- 0 - Creates a DB shard group without a standby DB shard group. This is the default value.\n- 1 - Creates a DB shard group with a standby DB shard group in a different Availability Zone (AZ).\n- 2 - Creates a DB shard group with two standby DB shard groups in two different AZs.", + "ComputeRedundancy": "Specifies whether to create standby standby DB data access shard for the DB shard group. Valid values are the following:\n\n- 0 - Creates a DB shard group without a standby DB data access shard. This is the default value.\n- 1 - Creates a DB shard group with a standby DB data access shard in a different Availability Zone (AZ).\n- 2 - Creates a DB shard group with two standby DB data access shard in two different AZs.", "DBClusterIdentifier": "The name of the primary DB cluster for the DB shard group.", "DBShardGroupIdentifier": "The name of the DB shard group.", "MaxACU": "The maximum capacity of the DB shard group in Aurora capacity units (ACUs).", @@ -43704,7 +44160,7 @@ "AWS::RDS::GlobalCluster": { "DeletionProtection": "Specifies whether to enable deletion protection for the new global database cluster. The global database can't be deleted when deletion protection is enabled.", "Engine": "The database engine to use for this global database cluster.\n\nValid Values: `aurora-mysql | aurora-postgresql`\n\nConstraints:\n\n- Can't be specified if `SourceDBClusterIdentifier` is specified. In this case, Amazon Aurora uses the engine of the source DB cluster.", - "EngineLifecycleSupport": "The life cycle type for this global database cluster.\n\n> By default, this value is set to `open-source-rds-extended-support` , which enrolls your global cluster into Amazon RDS Extended Support. At the end of standard support, you can avoid charges for Extended Support by setting the value to `open-source-rds-extended-support-disabled` . In this case, creating the global cluster will fail if the DB major version is past its end of standard support date. \n\nThis setting only applies to Aurora PostgreSQL-based global databases.\n\nYou can use this setting to enroll your global cluster into Amazon RDS Extended Support. With RDS Extended Support, you can run the selected major engine version on your global cluster past the end of standard support for that engine version. For more information, see [Using Amazon RDS Extended Support](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/extended-support.html) in the *Amazon Aurora User Guide* .\n\nValid Values: `open-source-rds-extended-support | open-source-rds-extended-support-disabled`\n\nDefault: `open-source-rds-extended-support`", + "EngineLifecycleSupport": "The life cycle type for this global database cluster.\n\n> By default, this value is set to `open-source-rds-extended-support` , which enrolls your global cluster into Amazon RDS Extended Support. At the end of standard support, you can avoid charges for Extended Support by setting the value to `open-source-rds-extended-support-disabled` . In this case, creating the global cluster will fail if the DB major version is past its end of standard support date. \n\nThis setting only applies to Aurora PostgreSQL-based global databases.\n\nYou can use this setting to enroll your global cluster into Amazon RDS Extended Support. With RDS Extended Support, you can run the selected major engine version on your global cluster past the end of standard support for that engine version. For more information, see [Amazon RDS Extended Support with Amazon Aurora](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/extended-support.html) in the *Amazon Aurora User Guide* .\n\nValid Values: `open-source-rds-extended-support | open-source-rds-extended-support-disabled`\n\nDefault: `open-source-rds-extended-support`", "EngineVersion": "The engine version to use for this global database cluster.\n\nConstraints:\n\n- Can't be specified if `SourceDBClusterIdentifier` is specified. In this case, Amazon Aurora uses the engine version of the source DB cluster.", "GlobalClusterIdentifier": "The cluster identifier for this global database cluster. This parameter is stored as a lowercase string.", "SourceDBClusterIdentifier": "The Amazon Resource Name (ARN) to use as the primary cluster of the global database.\n\nIf you provide a value for this parameter, don't specify values for the following settings because Amazon Aurora uses the values from the specified source DB cluster:\n\n- `DatabaseName`\n- `Engine`\n- `EngineVersion`\n- `StorageEncrypted`", @@ -44069,7 +44525,7 @@ }, "AWS::RedshiftServerless::Workgroup": { "BaseCapacity": "The base compute capacity of the workgroup in Redshift Processing Units (RPUs).", - "ConfigParameters": "A list of parameters to set for finer control over a database. Available options are `datestyle` , `enable_user_activity_logging` , `query_group` , `search_path` , `max_query_execution_time` , and `require_ssl` .", + "ConfigParameters": "The key of the parameter. The options are `auto_mv` , `datestyle` , `enable_case_sensitive_identifier` , `enable_user_activity_logging` , `query_group` , `search_path` , `require_ssl` , `use_fips_ssl` , and query monitoring metrics that let you define performance boundaries. For more information about query monitoring rules and available metrics, see [Query monitoring metrics for Amazon Redshift Serverless](https://docs.aws.amazon.com/redshift/latest/dg/cm-c-wlm-query-monitoring-rules.html#cm-c-wlm-query-monitoring-metrics-serverless) .", "EnhancedVpcRouting": "The value that specifies whether to enable enhanced virtual private cloud (VPC) routing, which forces Amazon Redshift Serverless to route traffic through your VPC.", "MaxCapacity": "The maximum data-warehouse capacity Amazon Redshift Serverless uses to serve queries. The max capacity is specified in RPUs.", "NamespaceName": "The namespace the workgroup is associated with.", @@ -44088,7 +44544,7 @@ "WorkgroupName": "The name of the workgroup." }, "AWS::RedshiftServerless::Workgroup ConfigParameter": { - "ParameterKey": "The key of the parameter. The options are `datestyle` , `enable_user_activity_logging` , `query_group` , `search_path` , `max_query_execution_time` , and `require_ssl` .", + "ParameterKey": "The key of the parameter. The options are `auto_mv` , `datestyle` , `enable_case_sensitive_identifier` , `enable_user_activity_logging` , `query_group` , `search_path` , `require_ssl` , `use_fips_ssl` , and query monitoring metrics that let you define performance boundaries. For more information about query monitoring rules and available metrics, see [Query monitoring metrics for Amazon Redshift Serverless](https://docs.aws.amazon.com/redshift/latest/dg/cm-c-wlm-query-monitoring-rules.html#cm-c-wlm-query-monitoring-metrics-serverless) .", "ParameterValue": "The value of the parameter to set." }, "AWS::RedshiftServerless::Workgroup Endpoint": { @@ -45202,7 +45658,7 @@ }, "AWS::S3::Bucket RoutingRuleCondition": { "HttpErrorCodeReturnedEquals": "The HTTP error code when the redirect is applied. In the event of an error, if the error code equals this value, then the specified redirect is applied.\n\nRequired when parent element `Condition` is specified and sibling `KeyPrefixEquals` is not specified. If both are specified, then both must be true for the redirect to be applied.", - "KeyPrefixEquals": "The object key name prefix when the redirect is applied. For example, to redirect requests for `ExamplePage.html` , the key prefix will be `ExamplePage.html` . To redirect request for all pages with the prefix `docs/` , the key prefix will be `/docs` , which identifies all objects in the docs/ folder.\n\nRequired when the parent element `Condition` is specified and sibling `HttpErrorCodeReturnedEquals` is not specified. If both conditions are specified, both must be true for the redirect to be applied." + "KeyPrefixEquals": "The object key name prefix when the redirect is applied. For example, to redirect requests for `ExamplePage.html` , the key prefix will be `ExamplePage.html` . To redirect request for all pages with the prefix `docs/` , the key prefix will be `docs/` , which identifies all objects in the docs/ folder.\n\nRequired when the parent element `Condition` is specified and sibling `HttpErrorCodeReturnedEquals` is not specified. If both conditions are specified, both must be true for the redirect to be applied." }, "AWS::S3::Bucket Rule": { "AbortIncompleteMultipartUpload": "Specifies a lifecycle rule that stops incomplete multipart uploads to an Amazon S3 bucket.", @@ -45680,7 +46136,7 @@ "Enabled": "If `true` , the event destination is enabled. When the event destination is enabled, the specified event types are sent to the destinations in this `EventDestinationDefinition` .\n\nIf `false` , the event destination is disabled. When the event destination is disabled, events aren't sent to the specified destinations.", "EventBridgeDestination": "An object that defines an Amazon EventBridge destination for email events. You can use Amazon EventBridge to send notifications when certain email events occur.", "KinesisFirehoseDestination": "An object that contains the delivery stream ARN and the IAM role ARN associated with an Amazon Kinesis Firehose event destination.", - "MatchingEventTypes": "The types of events that Amazon SES sends to the specified event destinations.\n\n- `SEND` - The send request was successful and SES will attempt to deliver the message to the recipient\u2019s mail server. (If account-level or global suppression is being used, SES will still count it as a send, but delivery is suppressed.)\n- `REJECT` - SES accepted the email, but determined that it contained a virus and didn\u2019t attempt to deliver it to the recipient\u2019s mail server.\n- `BOUNCE` - ( *Hard bounce* ) The recipient's mail server permanently rejected the email. ( *Soft bounces* are only included when SES fails to deliver the email after retrying for a period of time.)\n- `COMPLAINT` - The email was successfully delivered to the recipient\u2019s mail server, but the recipient marked it as spam.\n- `DELIVERY` - SES successfully delivered the email to the recipient's mail server.\n- `OPEN` - The recipient received the message and opened it in their email client.\n- `CLICK` - The recipient clicked one or more links in the email.\n- `RENDERING_FAILURE` - The email wasn't sent because of a template rendering issue. This event type can occur when template data is missing, or when there is a mismatch between template parameters and data. (This event type only occurs when you send email using the [`SendTemplatedEmail`](https://docs.aws.amazon.com/ses/latest/APIReference/API_SendTemplatedEmail.html) or [`SendBulkTemplatedEmail`](https://docs.aws.amazon.com/ses/latest/APIReference/API_SendBulkTemplatedEmail.html) API operations.)\n- `DELIVERY_DELAY` - The email couldn't be delivered to the recipient\u2019s mail server because a temporary issue occurred. Delivery delays can occur, for example, when the recipient's inbox is full, or when the receiving email server experiences a transient issue.\n- `SUBSCRIPTION` - The email was successfully delivered, but the recipient updated their subscription preferences by clicking on an *unsubscribe* link as part of your [subscription management](https://docs.aws.amazon.com/ses/latest/dg/sending-email-subscription-management.html) .", + "MatchingEventTypes": "The types of events that Amazon SES sends to the specified event destinations.\n\n- `SEND` - The send request was successful and SES will attempt to deliver the message to the recipient\u2019s mail server. (If account-level or global suppression is being used, SES will still count it as a send, but delivery is suppressed.)\n- `REJECT` - SES accepted the email, but determined that it contained a virus and didn\u2019t attempt to deliver it to the recipient\u2019s mail server.\n- `BOUNCE` - ( *Hard bounce* ) The recipient's mail server permanently rejected the email. ( *Soft bounces* are only included when SES fails to deliver the email after retrying for a period of time.)\n- `COMPLAINT` - The email was successfully delivered to the recipient\u2019s mail server, but the recipient marked it as spam.\n- `DELIVERY` - SES successfully delivered the email to the recipient's mail server.\n- `OPEN` - The recipient received the message and opened it in their email client.\n- `CLICK` - The recipient clicked one or more links in the email.\n- `RENDERING_FAILURE` - The email wasn't sent because of a template rendering issue. This event type can occur when template data is missing, or when there is a mismatch between template parameters and data. (This event type only occurs when you send email using the [`SendEmail`](https://docs.aws.amazon.com/ses/latest/APIReference-V2/API_SendEmail.html) or [`SendBulkEmail`](https://docs.aws.amazon.com/ses/latest/APIReference-V2/API_SendBulkEmail.html) API operations.)\n- `DELIVERY_DELAY` - The email couldn't be delivered to the recipient\u2019s mail server because a temporary issue occurred. Delivery delays can occur, for example, when the recipient's inbox is full, or when the receiving email server experiences a transient issue.\n- `SUBSCRIPTION` - The email was successfully delivered, but the recipient updated their subscription preferences by clicking on an *unsubscribe* link as part of your [subscription management](https://docs.aws.amazon.com/ses/latest/dg/sending-email-subscription-management.html) .", "Name": "The name of the event destination. The name must meet the following requirements:\n\n- Contain only ASCII letters (a-z, A-Z), numbers (0-9), underscores (_), or dashes (-).\n- Contain 64 characters or fewer.", "SnsDestination": "An object that contains the topic ARN associated with an Amazon Simple Notification Service (Amazon SNS) event destination." }, @@ -45753,6 +46209,14 @@ "Key": "The key of the key-value tag.", "Value": "The value of the key-value tag." }, + "AWS::SES::MailManagerAddressList": { + "AddressListName": "", + "Tags": "" + }, + "AWS::SES::MailManagerAddressList Tag": { + "Key": "", + "Value": "" + }, "AWS::SES::MailManagerArchive": { "ArchiveName": "A unique name for the new archive.", "KmsKeyArn": "The Amazon Resource Name (ARN) of the KMS key for encrypting emails in the archive.", @@ -45832,10 +46296,10 @@ "RoleArn": "The Amazon Resource Name (ARN) of an IAM role to use to execute this action. The role must have access to the workmail:DeliverToMailbox API." }, "AWS::SES::MailManagerRuleSet DeliverToQBusinessAction": { - "ActionFailurePolicy": "A policy that states what to do in the case of failure. The action will fail if there are configuration errors. For example, the specified application has been deleted or the role lacks necessary permissions to call the qbusiness:BatchPutDocument API.", + "ActionFailurePolicy": "A policy that states what to do in the case of failure. The action will fail if there are configuration errors. For example, the specified application has been deleted or the role lacks necessary permissions to call the `qbusiness:BatchPutDocument` API.", "ApplicationId": "The unique identifier of the Amazon Q Business application instance where the email content will be delivered.", "IndexId": "The identifier of the knowledge base index within the Amazon Q Business application where the email content will be stored and indexed.", - "RoleArn": "The Amazon Resource Name (ARN) of the IAM Role to use while delivering to Amazon Q Business. This role must have access to the qbusiness:BatchPutDocument API for the given application and index." + "RoleArn": "The Amazon Resource Name (ARN) of the IAM Role to use while delivering to Amazon Q Business. This role must have access to the `qbusiness:BatchPutDocument` API for the given application and index." }, "AWS::SES::MailManagerRuleSet RelayAction": { "ActionFailurePolicy": "A policy that states what to do in the case of failure. The action will fail if there are configuration errors. For example, the specified relay has been deleted.", @@ -45857,6 +46321,7 @@ "DeliverToMailbox": "This action delivers an email to a WorkMail mailbox.", "DeliverToQBusiness": "This action delivers an email to an Amazon Q Business application for ingestion into its knowledge base.", "Drop": "This action terminates the evaluation of rules in the rule set.", + "PublishToSns": "This action publishes the email content to an Amazon SNS topic.", "Relay": "This action relays the email to another SMTP server.", "ReplaceRecipient": "The action replaces certain or all recipients with a different set of recipients.", "Send": "This action sends the email to the internet.", @@ -45868,7 +46333,8 @@ }, "AWS::SES::MailManagerRuleSet RuleBooleanToEvaluate": { "Analysis": "The Add On ARN and its returned value to evaluate in a boolean condition expression.", - "Attribute": "The boolean type representing the allowed attribute types for an email." + "Attribute": "The boolean type representing the allowed attribute types for an email.", + "IsInAddressList": "The structure representing the address lists and address list attribute that will be used in evaluation of boolean expression." }, "AWS::SES::MailManagerRuleSet RuleCondition": { "BooleanExpression": "The condition applies to a boolean expression passed in this field.", @@ -45890,6 +46356,10 @@ "AWS::SES::MailManagerRuleSet RuleIpToEvaluate": { "Attribute": "The attribute of the email to evaluate." }, + "AWS::SES::MailManagerRuleSet RuleIsInAddressList": { + "AddressLists": "The address lists that will be used for evaluation.", + "Attribute": "The email attribute that needs to be evaluated against the address list." + }, "AWS::SES::MailManagerRuleSet RuleNumberExpression": { "Evaluate": "The number to evaluate in a numeric condition expression.", "Operator": "The operator for a numeric condition expression.", @@ -45928,6 +46398,13 @@ "ActionFailurePolicy": "A policy that states what to do in the case of failure. The action will fail if there are configuration errors. For example, the caller does not have the permissions to call the sendRawEmail API.", "RoleArn": "The Amazon Resource Name (ARN) of the role to use for this action. This role must have access to the ses:SendRawEmail API." }, + "AWS::SES::MailManagerRuleSet SnsAction": { + "ActionFailurePolicy": "A policy that states what to do in the case of failure. The action will fail if there are configuration errors. For example, specified SNS topic has been deleted or the role lacks necessary permissions to call the `sns:Publish` API.", + "Encoding": "The encoding to use for the email within the Amazon SNS notification. The default value is `UTF-8` . Use `BASE64` if you need to preserve all special characters, especially when the original message uses a different encoding format.", + "PayloadType": "The expected payload type within the Amazon SNS notification. `CONTENT` attempts to publish the full email content with 20KB of headers content. `HEADERS` extracts up to 100KB of header content to include in the notification, email content will not be included to the notification. The default value is `CONTENT` .", + "RoleArn": "The Amazon Resource Name (ARN) of the IAM Role to use while writing to Amazon SNS. This role must have access to the `sns:Publish` API for the given topic.", + "TopicArn": "The Amazon Resource Name (ARN) of the Amazon SNS Topic to which notification for the email received will be published." + }, "AWS::SES::MailManagerRuleSet Tag": { "Key": "The key of the key-value tag.", "Value": "The value of the key-value tag." @@ -45948,7 +46425,8 @@ "Operator": "The matching operator for a boolean condition expression." }, "AWS::SES::MailManagerTrafficPolicy IngressBooleanToEvaluate": { - "Analysis": "The structure type for a boolean condition stating the Add On ARN and its returned value." + "Analysis": "The structure type for a boolean condition stating the Add On ARN and its returned value.", + "IsInAddressList": "" }, "AWS::SES::MailManagerTrafficPolicy IngressIpToEvaluate": { "Attribute": "An enum type representing the allowed attribute types for an IP condition." @@ -45966,6 +46444,10 @@ "AWS::SES::MailManagerTrafficPolicy IngressIpv6ToEvaluate": { "Attribute": "" }, + "AWS::SES::MailManagerTrafficPolicy IngressIsInAddressList": { + "AddressLists": "", + "Attribute": "" + }, "AWS::SES::MailManagerTrafficPolicy IngressStringExpression": { "Evaluate": "The left hand side argument of a string condition expression.", "Operator": "", @@ -46060,8 +46542,8 @@ "TopicArn": "The ARN of the Amazon SNS topic to notify when the message is saved to the Amazon S3 bucket. You can find the ARN of a topic by using the [ListTopics](https://docs.aws.amazon.com/sns/latest/api/API_ListTopics.html) operation in Amazon SNS.\n\nFor more information about Amazon SNS topics, see the [Amazon SNS Developer Guide](https://docs.aws.amazon.com/sns/latest/dg/CreateTopic.html) ." }, "AWS::SES::ReceiptRule SNSAction": { - "Encoding": "The encoding to use for the email within the Amazon SNS notification. UTF-8 is easier to use, but may not preserve all special characters when a message was encoded with a different encoding format. Base64 preserves all special characters. The default value is UTF-8.", - "TopicArn": "The Amazon Resource Name (ARN) of the Amazon SNS topic to notify. You can find the ARN of a topic by using the [ListTopics](https://docs.aws.amazon.com/sns/latest/api/API_ListTopics.html) operation in Amazon SNS.\n\nFor more information about Amazon SNS topics, see the [Amazon SNS Developer Guide](https://docs.aws.amazon.com/sns/latest/dg/CreateTopic.html) ." + "Encoding": "The encoding to use for the email within the Amazon SNS notification. The default value is `UTF-8` . Use `BASE64` if you need to preserve all special characters, especially when the original message uses a different encoding format.", + "TopicArn": "The Amazon Resource Name (ARN) of the Amazon SNS Topic to which notification for the email received will be published." }, "AWS::SES::ReceiptRule StopAction": { "Scope": "The scope of the StopAction. The only acceptable value is `RuleSet` .", @@ -46080,7 +46562,7 @@ "AWS::SES::Template Template": { "HtmlPart": "The HTML body of the email.", "SubjectPart": "The subject line of the email.", - "TemplateName": "The name of the template. You will refer to this name when you send email using the `SendTemplatedEmail` or `SendBulkTemplatedEmail` operations.", + "TemplateName": "The name of the template. You will refer to this name when you send email using the `SendEmail` or `SendBulkEmail` operations.", "TextPart": "The email body that is visible to recipients whose email clients do not display HTML content." }, "AWS::SES::VdmAttributes": { @@ -46413,6 +46895,7 @@ "Alias": "The unique and identifiable alias of the contact or escalation plan.", "DisplayName": "The full name of the contact or escalation plan.", "Plan": "A list of stages. A contact has an engagement plan with stages that contact specified contact channels. An escalation plan uses stages that contact specified contacts.", + "Tags": "", "Type": "The type of contact.\n\n- `PERSONAL` : A single, individual contact.\n- `ESCALATION` : An escalation plan.\n- `ONCALL_SCHEDULE` : An on-call schedule." }, "AWS::SSMContacts::Contact ChannelTargetInfo": { @@ -46428,6 +46911,10 @@ "RotationIds": "The Amazon Resource Names (ARNs) of the on-call rotations associated with the plan.", "Targets": "The contacts or contact methods that the escalation plan or engagement plan is engaging." }, + "AWS::SSMContacts::Contact Tag": { + "Key": "Name of the object key.", + "Value": "Value of the tag." + }, "AWS::SSMContacts::Contact Targets": { "ChannelTargetInfo": "Information about the contact channel that Incident Manager engages.", "ContactTargetInfo": "The contact that Incident Manager is engaging during an incident." @@ -46496,6 +46983,20 @@ "DayOfWeek": "The day of the week when weekly recurring on-call shift rotations begins.", "HandOffTime": "The time of day when a weekly recurring on-call shift rotation begins." }, + "AWS::SSMGuiConnect::Preferences": { + "ConnectionRecordingPreferences": "The set of preferences used for recording RDP connections in the requesting AWS account and AWS Region . This includes details such as which S3 bucket recordings are stored in." + }, + "AWS::SSMGuiConnect::Preferences ConnectionRecordingPreferences": { + "KMSKeyArn": "The ARN of a AWS KMS key that is used to encrypt data while it is being processed by the service. This key must exist in the same AWS Region as the node you start an RDP connection to.", + "RecordingDestinations": "Determines where recordings of RDP connections are stored." + }, + "AWS::SSMGuiConnect::Preferences RecordingDestinations": { + "S3Buckets": "The S3 bucket where RDP connection recordings are stored." + }, + "AWS::SSMGuiConnect::Preferences S3Bucket": { + "BucketName": "The name of the S3 bucket where RDP connection recordings are stored.", + "BucketOwner": "The AWS account number that owns the S3 bucket." + }, "AWS::SSMIncidents::ReplicationSet": { "DeletionProtected": "Determines if the replication set deletion protection is enabled or not. If deletion protection is enabled, you can't delete the last Region in the replication set.", "Regions": "Specifies the Regions of the replication set.", @@ -46580,8 +47081,8 @@ "Tags": "Key-value pairs of metadata to assign to the configuration manager." }, "AWS::SSMQuickSetup::ConfigurationManager ConfigurationDefinition": { - "LocalDeploymentAdministrationRoleArn": "The ARN of the IAM role used to administrate local configuration deployments.", - "LocalDeploymentExecutionRoleName": "The name of the IAM role used to deploy local configurations.", + "LocalDeploymentAdministrationRoleArn": "The ARN of the IAM role used to administrate local configuration deployments.\n\n> Although this element is listed as \"Required: No\", a value can be omitted only for organizational deployments of types other than `AWSQuickSetupType-PatchPolicy` . A value must be provided when you are running an organizational deployment for a patch policy or running any type of deployment for a single account.", + "LocalDeploymentExecutionRoleName": "The name of the IAM role used to deploy local configurations.\n\n> Although this element is listed as \"Required: No\", a value can be omitted only for organizational deployments of types other than `AWSQuickSetupType-PatchPolicy` . A value must be provided when you are running an organizational deployment for a patch policy or running any type of deployment for a single account.", "Parameters": "The parameters for the configuration definition type. Parameters for configuration definitions vary based the configuration type. The following lists outline the parameters for each configuration type.\n\n- **AWS Config Recording (Type: AWS QuickSetupType-CFGRecording)** - - `RecordAllResources`\n\n- Description: (Optional) A boolean value that determines whether all supported resources are recorded. The default value is \" `true` \".\n- `ResourceTypesToRecord`\n\n- Description: (Optional) A comma separated list of resource types you want to record.\n- `RecordGlobalResourceTypes`\n\n- Description: (Optional) A boolean value that determines whether global resources are recorded with all resource configurations. The default value is \" `false` \".\n- `GlobalResourceTypesRegion`\n\n- Description: (Optional) Determines the AWS Region where global resources are recorded.\n- `UseCustomBucket`\n\n- Description: (Optional) A boolean value that determines whether a custom Amazon S3 bucket is used for delivery. The default value is \" `false` \".\n- `DeliveryBucketName`\n\n- Description: (Optional) The name of the Amazon S3 bucket you want AWS Config to deliver configuration snapshots and configuration history files to.\n- `DeliveryBucketPrefix`\n\n- Description: (Optional) The key prefix you want to use in the custom Amazon S3 bucket.\n- `NotificationOptions`\n\n- Description: (Optional) Determines the notification configuration for the recorder. The valid values are `NoStreaming` , `UseExistingTopic` , and `CreateTopic` . The default value is `NoStreaming` .\n- `CustomDeliveryTopicAccountId`\n\n- Description: (Optional) The ID of the AWS account where the Amazon SNS topic you want to use for notifications resides. You must specify a value for this parameter if you use the `UseExistingTopic` notification option.\n- `CustomDeliveryTopicName`\n\n- Description: (Optional) The name of the Amazon SNS topic you want to use for notifications. You must specify a value for this parameter if you use the `UseExistingTopic` notification option.\n- `RemediationSchedule`\n\n- Description: (Optional) A rate expression that defines the schedule for drift remediation. The valid values are `rate(30 days)` , `rate(7 days)` , `rate(1 days)` , and `none` . The default value is \" `none` \".\n- `TargetAccounts`\n\n- Description: (Optional) The ID of the AWS account initiating the configuration deployment. You only need to provide a value for this parameter if you want to deploy the configuration locally. A value must be provided for either `TargetAccounts` or `TargetOrganizationalUnits` .\n- `TargetOrganizationalUnits`\n\n- Description: (Optional) The ID of the root of your Organization. This configuration type doesn't currently support choosing specific OUs. The configuration will be deployed to all the OUs in the Organization.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **Change Manager (Type: AWS QuickSetupType-SSMChangeMgr)** - - `DelegatedAccountId`\n\n- Description: (Required) The ID of the delegated administrator account.\n- `JobFunction`\n\n- Description: (Required) The name for the Change Manager job function.\n- `PermissionType`\n\n- Description: (Optional) Specifies whether you want to use default administrator permissions for the job function role, or provide a custom IAM policy. The valid values are `CustomPermissions` and `AdminPermissions` . The default value for the parameter is `CustomerPermissions` .\n- `CustomPermissions`\n\n- Description: (Optional) A JSON string containing the IAM policy you want your job function to use. You must provide a value for this parameter if you specify `CustomPermissions` for the `PermissionType` parameter.\n- `TargetOrganizationalUnits`\n\n- Description: (Required) A comma separated list of organizational units (OUs) you want to deploy the configuration to.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **Conformance Packs (Type: AWS QuickSetupType-CFGCPacks)** - - `DelegatedAccountId`\n\n- Description: (Optional) The ID of the delegated administrator account. This parameter is required for Organization deployments.\n- `RemediationSchedule`\n\n- Description: (Optional) A rate expression that defines the schedule for drift remediation. The valid values are `rate(30 days)` , `rate(14 days)` , `rate(2 days)` , and `none` . The default value is \" `none` \".\n- `CPackNames`\n\n- Description: (Required) A comma separated list of AWS Config conformance packs.\n- `TargetAccounts`\n\n- Description: (Optional) The ID of the AWS account initiating the configuration deployment. You only need to provide a value for this parameter if you want to deploy the configuration locally. A value must be provided for either `TargetAccounts` or `TargetOrganizationalUnits` .\n- `TargetOrganizationalUnits`\n\n- Description: (Optional) The ID of the root of your Organization. This configuration type doesn't currently support choosing specific OUs. The configuration will be deployed to all the OUs in the Organization.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **Default Host Management Configuration (Type: AWS QuickSetupType-DHMC)** - - `UpdateSSMAgent`\n\n- Description: (Optional) A boolean value that determines whether the SSM Agent is updated on the target instances every 2 weeks. The default value is \" `true` \".\n- `TargetOrganizationalUnits`\n\n- Description: (Required) A comma separated list of organizational units (OUs) you want to deploy the configuration to.\n- `TargetRegions`\n\n- Description: (Required) The AWS Regions to deploy the configuration to. For this type, the parameter only accepts a value of `AllRegions` .\n- **DevOps\u00a0Guru (Type: AWS QuickSetupType-DevOpsGuru)** - - `AnalyseAllResources`\n\n- Description: (Optional) A boolean value that determines whether DevOps\u00a0Guru analyzes all AWS CloudFormation stacks in the account. The default value is \" `false` \".\n- `EnableSnsNotifications`\n\n- Description: (Optional) A boolean value that determines whether DevOps\u00a0Guru sends notifications when an insight is created. The default value is \" `true` \".\n- `EnableSsmOpsItems`\n\n- Description: (Optional) A boolean value that determines whether DevOps\u00a0Guru creates an OpsCenter OpsItem when an insight is created. The default value is \" `true` \".\n- `EnableDriftRemediation`\n\n- Description: (Optional) A boolean value that determines whether a drift remediation schedule is used. The default value is \" `false` \".\n- `RemediationSchedule`\n\n- Description: (Optional) A rate expression that defines the schedule for drift remediation. The valid values are `rate(30 days)` , `rate(14 days)` , `rate(1 days)` , and `none` . The default value is \" `none` \".\n- `TargetAccounts`\n\n- Description: (Optional) The ID of the AWS account initiating the configuration deployment. You only need to provide a value for this parameter if you want to deploy the configuration locally. A value must be provided for either `TargetAccounts` or `TargetOrganizationalUnits` .\n- `TargetOrganizationalUnits`\n\n- Description: (Optional) A comma separated list of organizational units (OUs) you want to deploy the configuration to.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **Distributor (Type: AWS QuickSetupType-Distributor)** - - `PackagesToInstall`\n\n- Description: (Required) A comma separated list of packages you want to install on the target instances. The valid values are `AWSEFSTools` , `AWSCWAgent` , and `AWSEC2LaunchAgent` .\n- `RemediationSchedule`\n\n- Description: (Optional) A rate expression that defines the schedule for drift remediation. The valid values are `rate(30 days)` , `rate(14 days)` , `rate(2 days)` , and `none` . The default value is \" `rate(30 days)` \".\n- `IsPolicyAttachAllowed`\n\n- Description: (Optional) A boolean value that determines whether Quick Setup attaches policies to instances profiles already associated with the target instances. The default value is \" `false` \".\n- `TargetType`\n\n- Description: (Optional) Determines how instances are targeted for local account deployments. Don't specify a value for this parameter if you're deploying to OUs. The valid values are `*` , `InstanceIds` , `ResourceGroups` , and `Tags` . Use `*` to target all instances in the account.\n- `TargetInstances`\n\n- Description: (Optional) A comma separated list of instance IDs. You must provide a value for this parameter if you specify `InstanceIds` for the `TargetType` parameter.\n- `TargetTagKey`\n\n- Description: (Required) The tag key assigned to the instances you want to target. You must provide a value for this parameter if you specify `Tags` for the `TargetType` parameter.\n- `TargetTagValue`\n\n- Description: (Required) The value of the tag key assigned to the instances you want to target. You must provide a value for this parameter if you specify `Tags` for the `TargetType` parameter.\n- `ResourceGroupName`\n\n- Description: (Required) The name of the resource group associated with the instances you want to target. You must provide a value for this parameter if you specify `ResourceGroups` for the `TargetType` parameter.\n- `TargetAccounts`\n\n- Description: (Optional) The ID of the AWS account initiating the configuration deployment. You only need to provide a value for this parameter if you want to deploy the configuration locally. A value must be provided for either `TargetAccounts` or `TargetOrganizationalUnits` .\n- `TargetOrganizationalUnits`\n\n- Description: (Optional) A comma separated list of organizational units (OUs) you want to deploy the configuration to.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **Host Management (Type: AWS QuickSetupType-SSMHostMgmt)** - - `UpdateSSMAgent`\n\n- Description: (Optional) A boolean value that determines whether the SSM Agent is updated on the target instances every 2 weeks. The default value is \" `true` \".\n- `UpdateEc2LaunchAgent`\n\n- Description: (Optional) A boolean value that determines whether the EC2 Launch agent is updated on the target instances every month. The default value is \" `false` \".\n- `CollectInventory`\n\n- Description: (Optional) A boolean value that determines whether instance metadata is collected on the target instances every 30 minutes. The default value is \" `true` \".\n- `ScanInstances`\n\n- Description: (Optional) A boolean value that determines whether the target instances are scanned daily for available patches. The default value is \" `true` \".\n- `InstallCloudWatchAgent`\n\n- Description: (Optional) A boolean value that determines whether the Amazon CloudWatch agent is installed on the target instances. The default value is \" `false` \".\n- `UpdateCloudWatchAgent`\n\n- Description: (Optional) A boolean value that determines whether the Amazon CloudWatch agent is updated on the target instances every month. The default value is \" `false` \".\n- `IsPolicyAttachAllowed`\n\n- Description: (Optional) A boolean value that determines whether Quick Setup attaches policies to instances profiles already associated with the target instances. The default value is \" `false` \".\n- `TargetType`\n\n- Description: (Optional) Determines how instances are targeted for local account deployments. Don't specify a value for this parameter if you're deploying to OUs. The valid values are `*` , `InstanceIds` , `ResourceGroups` , and `Tags` . Use `*` to target all instances in the account.\n- `TargetInstances`\n\n- Description: (Optional) A comma separated list of instance IDs. You must provide a value for this parameter if you specify `InstanceIds` for the `TargetType` parameter.\n- `TargetTagKey`\n\n- Description: (Optional) The tag key assigned to the instances you want to target. You must provide a value for this parameter if you specify `Tags` for the `TargetType` parameter.\n- `TargetTagValue`\n\n- Description: (Optional) The value of the tag key assigned to the instances you want to target. You must provide a value for this parameter if you specify `Tags` for the `TargetType` parameter.\n- `ResourceGroupName`\n\n- Description: (Optional) The name of the resource group associated with the instances you want to target. You must provide a value for this parameter if you specify `ResourceGroups` for the `TargetType` parameter.\n- `TargetAccounts`\n\n- Description: (Optional) The ID of the AWS account initiating the configuration deployment. You only need to provide a value for this parameter if you want to deploy the configuration locally. A value must be provided for either `TargetAccounts` or `TargetOrganizationalUnits` .\n- `TargetOrganizationalUnits`\n\n- Description: (Optional) A comma separated list of organizational units (OUs) you want to deploy the configuration to.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **OpsCenter (Type: AWS QuickSetupType-SSMOpsCenter)** - - `DelegatedAccountId`\n\n- Description: (Required) The ID of the delegated administrator account.\n- `TargetOrganizationalUnits`\n\n- Description: (Required) A comma separated list of organizational units (OUs) you want to deploy the configuration to.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **Patch Policy (Type: AWS QuickSetupType-PatchPolicy)** - - `PatchPolicyName`\n\n- Description: (Required) A name for the patch policy. The value you provide is applied to target Amazon EC2 instances as a tag.\n- `SelectedPatchBaselines`\n\n- Description: (Required) An array of JSON objects containing the information for the patch baselines to include in your patch policy.\n- `PatchBaselineUseDefault`\n\n- Description: (Optional) A value that determines whether the selected patch baselines are all AWS provided. Supported values are `default` and `custom` .\n- `PatchBaselineRegion`\n\n- Description: (Required) The AWS Region where the patch baseline exist.\n- `ConfigurationOptionsPatchOperation`\n\n- Description: (Optional) Determines whether target instances scan for available patches, or scan and install available patches. The valid values are `Scan` and `ScanAndInstall` . The default value for the parameter is `Scan` .\n- `ConfigurationOptionsScanValue`\n\n- Description: (Optional) A cron expression that is used as the schedule for when instances scan for available patches.\n- `ConfigurationOptionsInstallValue`\n\n- Description: (Optional) A cron expression that is used as the schedule for when instances install available patches.\n- `ConfigurationOptionsScanNextInterval`\n\n- Description: (Optional) A boolean value that determines whether instances should scan for available patches at the next cron interval. The default value is \" `false` \".\n- `ConfigurationOptionsInstallNextInterval`\n\n- Description: (Optional) A boolean value that determines whether instances should scan for available patches at the next cron interval. The default value is \" `false` \".\n- `RebootOption`\n\n- Description: (Optional) Determines whether instances are rebooted after patches are installed. Valid values are `RebootIfNeeded` and `NoReboot` .\n- `IsPolicyAttachAllowed`\n\n- Description: (Optional) A boolean value that determines whether Quick Setup attaches policies to instances profiles already associated with the target instances. The default value is \" `false` \".\n- `OutputLogEnableS3`\n\n- Description: (Optional) A boolean value that determines whether command output logs are sent to Amazon S3.\n- `OutputS3Location`\n\n- Description: (Optional) Information about the Amazon S3 bucket where you want to store the output details of the request.\n\n- `OutputBucketRegion`\n\n- Description: (Optional) The AWS Region where the Amazon S3 bucket you want to deliver command output to is located.\n- `OutputS3BucketName`\n\n- Description: (Optional) The name of the Amazon S3 bucket you want to deliver command output to.\n- `OutputS3KeyPrefix`\n\n- Description: (Optional) The key prefix you want to use in the custom Amazon S3 bucket.\n- `TargetType`\n\n- Description: (Optional) Determines how instances are targeted for local account deployments. Don't specify a value for this parameter if you're deploying to OUs. The valid values are `*` , `InstanceIds` , `ResourceGroups` , and `Tags` . Use `*` to target all instances in the account.\n- `TargetInstances`\n\n- Description: (Optional) A comma separated list of instance IDs. You must provide a value for this parameter if you specify `InstanceIds` for the `TargetType` parameter.\n- `TargetTagKey`\n\n- Description: (Required) The tag key assigned to the instances you want to target. You must provide a value for this parameter if you specify `Tags` for the `TargetType` parameter.\n- `TargetTagValue`\n\n- Description: (Required) The value of the tag key assigned to the instances you want to target. You must provide a value for this parameter if you specify `Tags` for the `TargetType` parameter.\n- `ResourceGroupName`\n\n- Description: (Required) The name of the resource group associated with the instances you want to target. You must provide a value for this parameter if you specify `ResourceGroups` for the `TargetType` parameter.\n- `TargetAccounts`\n\n- Description: (Optional) The ID of the AWS account initiating the configuration deployment. You only need to provide a value for this parameter if you want to deploy the configuration locally. A value must be provided for either `TargetAccounts` or `TargetOrganizationalUnits` .\n- `TargetOrganizationalUnits`\n\n- Description: (Optional) A comma separated list of organizational units (OUs) you want to deploy the configuration to.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **Resource Explorer (Type: AWS QuickSetupType-ResourceExplorer)** - - `SelectedAggregatorRegion`\n\n- Description: (Required) The AWS Region where you want to create the aggregator index.\n- `ReplaceExistingAggregator`\n\n- Description: (Required) A boolean value that determines whether to demote an existing aggregator if it is in a Region that differs from the value you specify for the `SelectedAggregatorRegion` .\n- `TargetOrganizationalUnits`\n\n- Description: (Required) A comma separated list of organizational units (OUs) you want to deploy the configuration to.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.\n- **Resource Scheduler (Type: AWS QuickSetupType-Scheduler)** - - `TargetTagKey`\n\n- Description: (Required) The tag key assigned to the instances you want to target.\n- `TargetTagValue`\n\n- Description: (Required) The value of the tag key assigned to the instances you want to target.\n- `ICalendarString`\n\n- Description: (Required) An iCalendar formatted string containing the schedule you want Change Manager to use.\n- `TargetAccounts`\n\n- Description: (Optional) The ID of the AWS account initiating the configuration deployment. You only need to provide a value for this parameter if you want to deploy the configuration locally. A value must be provided for either `TargetAccounts` or `TargetOrganizationalUnits` .\n- `TargetOrganizationalUnits`\n\n- Description: (Optional) A comma separated list of organizational units (OUs) you want to deploy the configuration to.\n- `TargetRegions`\n\n- Description: (Required) A comma separated list of AWS Regions you want to deploy the configuration to.", "Type": "The type of the Quick Setup configuration.", "TypeVersion": "The version of the Quick Setup type used.", @@ -46675,6 +47176,7 @@ "AppName": "The name of the app.", "AppType": "The type of app.", "DomainId": "The domain ID.", + "RecoveryMode": "", "ResourceSpec": "Specifies the ARNs of a SageMaker image and SageMaker image version, and the instance type that the version runs on.", "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", "UserProfileName": "The user profile name." @@ -46933,6 +47435,7 @@ }, "AWS::SageMaker::Domain CodeEditorAppSettings": { "AppLifecycleManagement": "Settings that are used to configure and manage the lifecycle of CodeEditor applications.", + "BuiltInLifecycleConfigArn": "The lifecycle configuration that runs before the default lifecycle configuration. It can override changes made in the default lifecycle configuration.", "CustomImages": "A list of custom SageMaker images that are configured to run as a Code Editor app.", "DefaultResourceSpec": "The default instance type and the Amazon Resource Name (ARN) of the default SageMaker image used by the Code Editor app.", "LifecycleConfigArns": "The Amazon Resource Name (ARN) of the Code Editor application lifecycle configuration." @@ -46988,6 +47491,10 @@ "FileSystemId": "The globally unique, 17-digit, ID of the file system, assigned by Amazon FSx for Lustre.", "FileSystemPath": "The path to the file system directory that is accessible in Amazon SageMaker Studio. Permitted users can access only this directory and below." }, + "AWS::SageMaker::Domain HiddenSageMakerImage": { + "SageMakerImageName": "The SageMaker image name that you are hiding from the Studio user interface.", + "VersionAliases": "The version aliases you are hiding from the Studio user interface." + }, "AWS::SageMaker::Domain IdleSettings": { "IdleTimeoutInMinutes": "The time that SageMaker waits after the application becomes idle before shutting it down.", "LifecycleManagement": "Indicates whether idle shutdown is activated for the application type.", @@ -46996,6 +47503,7 @@ }, "AWS::SageMaker::Domain JupyterLabAppSettings": { "AppLifecycleManagement": "Indicates whether idle shutdown is activated for JupyterLab applications.", + "BuiltInLifecycleConfigArn": "The lifecycle configuration that runs before the default lifecycle configuration. It can override changes made in the default lifecycle configuration.", "CodeRepositories": "A list of Git repositories that SageMaker automatically displays to users for cloning in the JupyterLab application.", "CustomImages": "A list of custom SageMaker images that are configured to run as a JupyterLab app.", "DefaultResourceSpec": "The default instance type and the Amazon Resource Name (ARN) of the default SageMaker image used by the JupyterLab app.", @@ -47037,13 +47545,16 @@ }, "AWS::SageMaker::Domain StudioWebPortalSettings": { "HiddenAppTypes": "The [Applications supported in Studio](https://docs.aws.amazon.com/sagemaker/latest/dg/studio-updated-apps.html) that are hidden from the Studio left navigation pane.", - "HiddenMlTools": "The machine learning tools that are hidden from the Studio left navigation pane." + "HiddenInstanceTypes": "The instance types you are hiding from the Studio user interface.", + "HiddenMlTools": "The machine learning tools that are hidden from the Studio left navigation pane.", + "HiddenSageMakerImageVersionAliases": "The version aliases you are hiding from the Studio user interface." }, "AWS::SageMaker::Domain Tag": { "Key": "The tag key. Tag keys must be unique per resource.", "Value": "The tag value." }, "AWS::SageMaker::Domain UserSettings": { + "AutoMountHomeEFS": "Indicates whether auto-mounting of an EFS volume is supported for the user profile. The `DefaultAsDomain` value is only supported for user profiles. Do not use the `DefaultAsDomain` value when setting this parameter for a domain.\n\nSageMaker applies this setting only to private spaces that the user creates in the domain. SageMaker doesn't apply this setting to shared spaces.", "CodeEditorAppSettings": "The Code Editor application settings.\n\nSageMaker applies these settings only to private spaces that the user creates in the domain. SageMaker doesn't apply these settings to shared spaces.", "CustomFileSystemConfigs": "The settings for assigning a custom file system to a user profile. Permitted users can access this file system in Amazon SageMaker AI Studio.\n\nSageMaker applies these settings only to private spaces that the user creates in the domain. SageMaker doesn't apply these settings to shared spaces.", "CustomPosixUserConfig": "Details about the POSIX identity that is used for file system operations.\n\nSageMaker applies these settings only to private spaces that the user creates in the domain. SageMaker doesn't apply these settings to shared spaces.", @@ -48492,6 +49003,7 @@ }, "AWS::SageMaker::UserProfile CodeEditorAppSettings": { "AppLifecycleManagement": "Settings that are used to configure and manage the lifecycle of CodeEditor applications.", + "BuiltInLifecycleConfigArn": "The lifecycle configuration that runs before the default lifecycle configuration. It can override changes made in the default lifecycle configuration.", "CustomImages": "A list of custom SageMaker images that are configured to run as a Code Editor app.", "DefaultResourceSpec": "The default instance type and the Amazon Resource Name (ARN) of the default SageMaker image used by the Code Editor app.", "LifecycleConfigArns": "The Amazon Resource Name (ARN) of the Code Editor application lifecycle configuration." @@ -48527,6 +49039,10 @@ "FileSystemId": "The globally unique, 17-digit, ID of the file system, assigned by Amazon FSx for Lustre.", "FileSystemPath": "The path to the file system directory that is accessible in Amazon SageMaker Studio. Permitted users can access only this directory and below." }, + "AWS::SageMaker::UserProfile HiddenSageMakerImage": { + "SageMakerImageName": "The SageMaker image name that you are hiding from the Studio user interface.", + "VersionAliases": "The version aliases you are hiding from the Studio user interface." + }, "AWS::SageMaker::UserProfile IdleSettings": { "IdleTimeoutInMinutes": "The time that SageMaker waits after the application becomes idle before shutting it down.", "LifecycleManagement": "Indicates whether idle shutdown is activated for the application type.", @@ -48535,6 +49051,7 @@ }, "AWS::SageMaker::UserProfile JupyterLabAppSettings": { "AppLifecycleManagement": "Indicates whether idle shutdown is activated for JupyterLab applications.", + "BuiltInLifecycleConfigArn": "The lifecycle configuration that runs before the default lifecycle configuration. It can override changes made in the default lifecycle configuration.", "CodeRepositories": "A list of Git repositories that SageMaker automatically displays to users for cloning in the JupyterLab application.", "CustomImages": "A list of custom SageMaker images that are configured to run as a JupyterLab app.", "DefaultResourceSpec": "The default instance type and the Amazon Resource Name (ARN) of the default SageMaker image used by the JupyterLab app.", @@ -48566,13 +49083,16 @@ }, "AWS::SageMaker::UserProfile StudioWebPortalSettings": { "HiddenAppTypes": "The [Applications supported in Studio](https://docs.aws.amazon.com/sagemaker/latest/dg/studio-updated-apps.html) that are hidden from the Studio left navigation pane.", - "HiddenMlTools": "The machine learning tools that are hidden from the Studio left navigation pane." + "HiddenInstanceTypes": "The instance types you are hiding from the Studio user interface.", + "HiddenMlTools": "The machine learning tools that are hidden from the Studio left navigation pane.", + "HiddenSageMakerImageVersionAliases": "The version aliases you are hiding from the Studio user interface." }, "AWS::SageMaker::UserProfile Tag": { "Key": "The tag key. Tag keys must be unique per resource.", "Value": "The tag value." }, "AWS::SageMaker::UserProfile UserSettings": { + "AutoMountHomeEFS": "Indicates whether auto-mounting of an EFS volume is supported for the user profile. The `DefaultAsDomain` value is only supported for user profiles. Do not use the `DefaultAsDomain` value when setting this parameter for a domain.\n\nSageMaker applies this setting only to private spaces that the user creates in the domain. SageMaker doesn't apply this setting to shared spaces.", "CodeEditorAppSettings": "The Code Editor application settings.\n\nSageMaker applies these settings only to private spaces that the user creates in the domain. SageMaker doesn't apply these settings to shared spaces.", "CustomFileSystemConfigs": "The settings for assigning a custom file system to a user profile. Permitted users can access this file system in Amazon SageMaker AI Studio.\n\nSageMaker applies these settings only to private spaces that the user creates in the domain. SageMaker doesn't apply these settings to shared spaces.", "CustomPosixUserConfig": "Details about the POSIX identity that is used for file system operations.\n\nSageMaker applies these settings only to private spaces that the user creates in the domain. SageMaker doesn't apply these settings to shared spaces.", @@ -49638,6 +50158,7 @@ "ArtifactConfig": "A structure that contains the configuration for canary artifacts, including the encryption-at-rest settings for artifacts that the canary uploads to Amazon S3.", "ArtifactS3Location": "The location in Amazon S3 where Synthetics stores artifacts from the runs of this canary. Artifacts include the log file, screenshots, and HAR files. Specify the full location path, including `s3://` at the beginning of the path.", "Code": "Use this structure to input your script code for the canary. This structure contains the Lambda handler with the location where the canary should start running the script. If the script is stored in an S3 bucket, the bucket name, key, and version are also included. If the script is passed into the canary directly, the script code is contained in the value of `Script` .", + "DryRunAndUpdate": "Specifies whether to perform a dry run before updating the canary. If set to `true` , CloudFormation will execute a dry run to validate the changes before applying them to the canary. If the dry run succeeds, the canary will be updated with the changes. If the dry run fails, the CloudFormation deployment will fail with the dry run\u2019s failure reason.\n\nIf set to `false` or omitted, the canary will be updated directly without first performing a dry run. The default value is `false` .\n\nFor more information, see [Performing safe canary updates](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/performing-safe-canary-upgrades.html) .", "ExecutionRoleArn": "The ARN of the IAM role to be used to run the canary. This role must already exist, and must include `lambda.amazonaws.com` as a principal in the trust policy. The role must also have the following permissions:\n\n- `s3:PutObject`\n- `s3:GetBucketLocation`\n- `s3:ListAllMyBuckets`\n- `cloudwatch:PutMetricData`\n- `logs:CreateLogGroup`\n- `logs:CreateLogStream`\n- `logs:PutLogEvents`", "FailureRetentionPeriod": "The number of days to retain data about failed runs of this canary. If you omit this field, the default of 31 days is used. The valid range is 1 to 455 days.\n\nThis setting affects the range of information returned by [GetCanaryRuns](https://docs.aws.amazon.com/AmazonSynthetics/latest/APIReference/API_GetCanaryRuns.html) , as well as the range of information displayed in the Synthetics console.", "Name": "The name for this canary. Be sure to give it a descriptive name that distinguishes it from other canaries in your account.\n\nDo not include secrets or proprietary information in your canary names. The canary name makes up part of the canary ARN, and the ARN is included in outbound calls over the internet. For more information, see [Security Considerations for Synthetics Canaries](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/servicelens_canaries_security.html) .", @@ -49662,11 +50183,14 @@ "AWS::Synthetics::Canary Code": { "Handler": "The entry point to use for the source code when running the canary. For canaries that use the `syn-python-selenium-1.0` runtime or a `syn-nodejs.puppeteer` runtime earlier than `syn-nodejs.puppeteer-3.4` , the handler must be specified as `*fileName* .handler` . For `syn-python-selenium-1.1` , `syn-nodejs.puppeteer-3.4` , and later runtimes, the handler can be specified as `*fileName* . *functionName*` , or you can specify a folder where canary scripts reside as `*folder* / *fileName* . *functionName*` .", "S3Bucket": "If your canary script is located in S3, specify the bucket name here. The bucket must already exist.", - "S3Key": "The S3 key of your script. For more information, see [Working with Amazon S3 Objects](https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingObjects.html) .", - "S3ObjectVersion": "The S3 version ID of your script.", + "S3Key": "The Amazon S3 key of your script. For more information, see [Working with Amazon S3 Objects](https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingObjects.html) .", + "S3ObjectVersion": "The Amazon S3 version ID of your script.", "Script": "If you input your canary script directly into the canary instead of referring to an S3 location, the value of this parameter is the script in plain text. It can be up to 5 MB.", "SourceLocationArn": "The ARN of the Lambda layer where Synthetics stores the canary script code." }, + "AWS::Synthetics::Canary RetryConfig": { + "MaxRetries": "The maximum number of retries. The value must be less than or equal to two." + }, "AWS::Synthetics::Canary RunConfig": { "ActiveTracing": "Specifies whether this canary is to use active AWS X-Ray tracing when it runs. Active tracing enables this canary run to be displayed in the ServiceLens and X-Ray service maps even if the canary does not hit an endpoint that has X-Ray tracing enabled. Using X-Ray tracing incurs charges. For more information, see [Canaries and X-Ray tracing](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Canaries_tracing.html) .\n\nYou can enable active tracing only for canaries that use version `syn-nodejs-2.0` or later for their canary runtime.", "EnvironmentVariables": "Specifies the keys and values to use for any environment variables used in the canary script. Use the following format:\n\n{ \"key1\" : \"value1\", \"key2\" : \"value2\", ...}\n\nKeys must start with a letter and be at least two characters. The total size of your environment variables cannot exceed 4 KB. You can't specify any Lambda reserved environment variables as the keys for your environment variables. For more information about reserved keys, see [Runtime environment variables](https://docs.aws.amazon.com/lambda/latest/dg/configuration-envvars.html#configuration-envvars-runtime) .", @@ -49679,14 +50203,15 @@ }, "AWS::Synthetics::Canary Schedule": { "DurationInSeconds": "How long, in seconds, for the canary to continue making regular runs according to the schedule in the `Expression` value. If you specify 0, the canary continues making runs until you stop it. If you omit this field, the default of 0 is used.", - "Expression": "A `rate` expression or a `cron` expression that defines how often the canary is to run.\n\nFor a rate expression, The syntax is `rate( *number unit* )` . *unit* can be `minute` , `minutes` , or `hour` .\n\nFor example, `rate(1 minute)` runs the canary once a minute, `rate(10 minutes)` runs it once every 10 minutes, and `rate(1 hour)` runs it once every hour. You can specify a frequency between `rate(1 minute)` and `rate(1 hour)` .\n\nSpecifying `rate(0 minute)` or `rate(0 hour)` is a special value that causes the canary to run only once when it is started.\n\nUse `cron( *expression* )` to specify a cron expression. You can't schedule a canary to wait for more than a year before running. For information about the syntax for cron expressions, see [Scheduling canary runs using cron](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Canaries_cron.html) ." + "Expression": "A `rate` expression or a `cron` expression that defines how often the canary is to run.\n\nFor a rate expression, The syntax is `rate( *number unit* )` . *unit* can be `minute` , `minutes` , or `hour` .\n\nFor example, `rate(1 minute)` runs the canary once a minute, `rate(10 minutes)` runs it once every 10 minutes, and `rate(1 hour)` runs it once every hour. You can specify a frequency between `rate(1 minute)` and `rate(1 hour)` .\n\nSpecifying `rate(0 minute)` or `rate(0 hour)` is a special value that causes the canary to run only once when it is started.\n\nUse `cron( *expression* )` to specify a cron expression. You can't schedule a canary to wait for more than a year before running. For information about the syntax for cron expressions, see [Scheduling canary runs using cron](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Canaries_cron.html) .", + "RetryConfig": "The canary's retry configuration information." }, "AWS::Synthetics::Canary Tag": { - "Key": "", - "Value": "" + "Key": "The key of this key-value pair.", + "Value": "The value of this key-value pair." }, "AWS::Synthetics::Canary VPCConfig": { - "Ipv6AllowedForDualStack": "", + "Ipv6AllowedForDualStack": "Set this to `true` to allow outbound IPv6 traffic on VPC canaries that are connected to dual-stack subnets. The default is `false` .", "SecurityGroupIds": "The IDs of the security groups for this canary.", "SubnetIds": "The IDs of the subnets where this canary is to run.", "VpcId": "The ID of the VPC where this canary is to run." @@ -49701,8 +50226,8 @@ "Tags": "The list of key-value pairs that are associated with the group." }, "AWS::Synthetics::Group Tag": { - "Key": "", - "Value": "" + "Key": "The key of this key-value pair.", + "Value": "The value of this key-value pair." }, "AWS::SystemsManagerSAP::Application": { "ApplicationId": "The ID of the application.", @@ -50001,7 +50526,7 @@ "OnUpload": "A trigger that starts a workflow: the workflow begins to execute after a file is uploaded.\n\nTo remove an associated workflow from a server, you can provide an empty `OnUpload` object, as in the following example.\n\n`aws transfer update-server --server-id s-01234567890abcdef --workflow-details '{\"OnUpload\":[]}'`\n\n> `OnUpload` can contain a maximum of one `WorkflowDetail` object." }, "AWS::Transfer::User": { - "HomeDirectory": "The landing directory (folder) for a user when they log in to the server using the client.\n\nA `HomeDirectory` example is `/bucket_name/home/mydirectory` .\n\n> The `HomeDirectory` parameter is only used if `HomeDirectoryType` is set to `PATH` .", + "HomeDirectory": "The landing directory (folder) for a user when they log in to the server using the client.\n\nA `HomeDirectory` example is `/bucket_name/home/mydirectory` .\n\n> You can use the `HomeDirectory` parameter for `HomeDirectoryType` when it is set to either `PATH` or `LOGICAL` .", "HomeDirectoryMappings": "Logical directory mappings that specify what Amazon S3 or Amazon EFS paths and keys should be visible to your user and how you want to make them visible. You must specify the `Entry` and `Target` pair, where `Entry` shows how the path is made visible and `Target` is the actual Amazon S3 or Amazon EFS path. If you only specify a target, it is displayed as is. You also must ensure that your AWS Identity and Access Management (IAM) role provides access to paths in `Target` . This value can be set only when `HomeDirectoryType` is set to *LOGICAL* .\n\nThe following is an `Entry` and `Target` pair example.\n\n`[ { \"Entry\": \"/directory1\", \"Target\": \"/bucket_name/home/mydirectory\" } ]`\n\nIn most cases, you can use this value instead of the session policy to lock your user down to the designated home directory (\" `chroot` \"). To do this, you can set `Entry` to `/` and set `Target` to the value the user should see for their home directory when they log in.\n\nThe following is an `Entry` and `Target` pair example for `chroot` .\n\n`[ { \"Entry\": \"/\", \"Target\": \"/bucket_name/home/mydirectory\" } ]`", "HomeDirectoryType": "The type of landing directory (folder) that you want your users' home directory to be when they log in to the server. If you set it to `PATH` , the user will see the absolute Amazon S3 bucket or Amazon EFS path as is in their file transfer protocol clients. If you set it to `LOGICAL` , you need to provide mappings in the `HomeDirectoryMappings` for how you want to make Amazon S3 or Amazon EFS paths visible to your users.\n\n> If `HomeDirectoryType` is `LOGICAL` , you must provide mappings, using the `HomeDirectoryMappings` parameter. If, on the other hand, `HomeDirectoryType` is `PATH` , you provide an absolute path using the `HomeDirectory` parameter. You cannot have both `HomeDirectory` and `HomeDirectoryMappings` in your template.", "Policy": "A session policy for your user so you can use the same IAM role across multiple users. This policy restricts user access to portions of their Amazon S3 bucket. Variables that you can use inside this policy include `${Transfer:UserName}` , `${Transfer:HomeDirectory}` , and `${Transfer:HomeBucket}` .\n\n> For session policies, AWS Transfer Family stores the policy as a JSON blob, instead of the Amazon Resource Name (ARN) of the policy. You save the policy as a JSON blob and pass it in the `Policy` argument.\n> \n> For an example of a session policy, see [Example session policy](https://docs.aws.amazon.com/transfer/latest/userguide/session-policy.html) .\n> \n> For more information, see [AssumeRole](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) in the *AWS Security Token Service API Reference* .", @@ -50177,13 +50702,22 @@ "Resource": "The resource associated with this template-linked policy. Verified Permissions substitutes this resource for the `?resource` placeholder in the policy template when it evaluates an authorization request." }, "AWS::VerifiedPermissions::PolicyStore": { + "DeletionProtection": "Specifies whether the policy store can be deleted. If enabled, the policy store can't be deleted.\n\nThe default state is `DISABLED` .", "Description": "Descriptive text that you can provide to help with identification of the current policy store.", "Schema": "Creates or updates the policy schema in a policy store. Cedar can use the schema to validate any Cedar policies and policy templates submitted to the policy store. Any changes to the schema validate only policies and templates submitted after the schema change. Existing policies and templates are not re-evaluated against the changed schema. If you later update a policy, then it is evaluated against the new schema at that time.", + "Tags": "The list of key-value pairs to associate with the policy store.", "ValidationSettings": "Specifies the validation setting for this policy store.\n\nCurrently, the only valid and required value is `Mode` .\n\n> We recommend that you turn on `STRICT` mode only after you define a schema. If a schema doesn't exist, then `STRICT` mode causes any policy to fail validation, and Verified Permissions rejects the policy. You can turn off validation by using the [UpdatePolicyStore](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_UpdatePolicyStore) . Then, when you have a schema defined, use [UpdatePolicyStore](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_UpdatePolicyStore) again to turn validation back on." }, + "AWS::VerifiedPermissions::PolicyStore DeletionProtection": { + "Mode": "Specifies whether the policy store can be deleted. If enabled, the policy store can't be deleted.\n\nThe default state is `DISABLED` ." + }, "AWS::VerifiedPermissions::PolicyStore SchemaDefinition": { "CedarJson": "A JSON string representation of the schema supported by applications that use this policy store. For more information, see [Policy store schema](https://docs.aws.amazon.com/verifiedpermissions/latest/userguide/schema.html) in the AVP User Guide." }, + "AWS::VerifiedPermissions::PolicyStore Tag": { + "Key": "A string you can use to assign a value. The combination of tag keys and values can help you organize and categorize your resources.", + "Value": "The value for the specified tag key." + }, "AWS::VerifiedPermissions::PolicyStore ValidationSettings": { "Mode": "The validation mode currently configured for this policy store. The valid values are:\n\n- *OFF* \u2013 Neither Verified Permissions nor Cedar perform any validation on policies. No validation errors are reported by either service.\n- *STRICT* \u2013 Requires a schema to be present in the policy store. Cedar performs validation on all submitted new or updated static policies and policy templates. Any that fail validation are rejected and Cedar doesn't store them in the policy store.\n\n> If `Mode=STRICT` and the policy store doesn't contain a schema, Verified Permissions rejects all static policies and policy templates because there is no schema to validate against.\n> \n> To submit a static policy or policy template without a schema, you must turn off validation." }, @@ -50232,7 +50766,7 @@ "Forward": "Describes a forward action. You can use forward actions to route requests to one or more target groups." }, "AWS::VpcLattice::Listener FixedResponse": { - "StatusCode": "The HTTP response code." + "StatusCode": "The HTTP response code. Only `404` and `500` status codes are supported." }, "AWS::VpcLattice::Listener Forward": { "TargetGroups": "The target groups. Traffic matching the rule is forwarded to the specified target groups. With forward actions, you can assign a weight that controls the prioritization and selection of each target group. This means that requests are distributed to individual target groups based on their weights. For example, if two target groups have the same weight, each target group receives half of the traffic.\n\nThe default value is 1. This means that if only one target group is provided, there is no need to set the weight; 100% of the traffic goes to that target group." @@ -50259,7 +50793,7 @@ }, "AWS::VpcLattice::ResourceConfiguration DnsResource": { "DomainName": "The domain name of the resource configuration.", - "IpAddressType": "The IP address type for the resource configuration." + "IpAddressType": "The IP address type for the resource configuration. Dualstack is not currently supported." }, "AWS::VpcLattice::ResourceConfiguration ResourceConfigurationDefinition": { "ArnResource": "The Amazon Resource Name (ARN) of the resource configuration. For the ARN syntax and format, see [ARN format](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html#arns-syntax) in the *AWS Identity and Access Management user guide* .", @@ -50300,7 +50834,7 @@ "Forward": "The forward action. Traffic that matches the rule is forwarded to the specified target groups." }, "AWS::VpcLattice::Rule FixedResponse": { - "StatusCode": "The HTTP response code." + "StatusCode": "The HTTP response code. Only `404` and `500` status codes are supported." }, "AWS::VpcLattice::Rule Forward": { "TargetGroups": "The target groups. Traffic matching the rule is forwarded to the specified target groups. With forward actions, you can assign a weight that controls the prioritization and selection of each target group. This means that requests are distributed to individual target groups based on their weights. For example, if two target groups have the same weight, each target group receives half of the traffic.\n\nThe default value is 1. This means that if only one target group is provided, there is no need to set the weight; 100% of the traffic goes to that target group." @@ -50798,7 +51332,7 @@ "AWS::WAFv2::RuleGroup Headers": { "MatchPattern": "The filter to use to identify the subset of headers to inspect in a web request.\n\nYou must specify exactly one setting: either `All` , `IncludedHeaders` , or `ExcludedHeaders` .\n\nExample JSON: `\"MatchPattern\": { \"ExcludedHeaders\": [ \"KeyToExclude1\", \"KeyToExclude2\" ] }`", "MatchScope": "The parts of the headers to match with the rule inspection criteria. If you specify `ALL` , AWS WAF inspects both keys and values.\n\n`All` does not require a match to be found in the keys and a match to be found in the values. It requires a match to be found in the keys or the values or both. To require a match in the keys and in the values, use a logical `AND` statement to combine two match rules, one that inspects the keys and another that inspects the values.", - "OversizeHandling": "What AWS WAF should do if the headers of the request are more numerous or larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request headers when they exceed 8 KB (8192 bytes) or 200 total headers. The underlying host service forwards a maximum of 200 headers and at most 8 KB of header contents to AWS WAF .\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available headers normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement." + "OversizeHandling": "What AWS WAF should do if the headers determined by your match scope are more numerous or larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request headers when they exceed 8 KB (8192 bytes) or 200 total headers. The underlying host service forwards a maximum of 200 headers and at most 8 KB of header contents to AWS WAF .\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available headers normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement." }, "AWS::WAFv2::RuleGroup IPSetForwardedIPConfiguration": { "FallbackBehavior": "The match status to assign to the web request if the request doesn't have a valid IP address in the specified position.\n\n> If the specified header isn't present in the request, AWS WAF doesn't apply the rule to the web request at all. \n\nYou can specify the following fallback behaviors:\n\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.", @@ -50980,6 +51514,7 @@ "DefaultAction": "The action to perform if none of the `Rules` contained in the `WebACL` match.", "Description": "A description of the web ACL that helps with identification.", "Name": "The name of the web ACL. You cannot change the name of a web ACL after you create it.", + "OnSourceDDoSProtectionConfig": "", "Rules": "The rule statements used to identify the web requests that you want to manage. Each rule includes one top-level statement that AWS WAF uses to identify matching web requests, and parameters that govern how AWS WAF handles them.", "Scope": "Specifies whether this is for an Amazon CloudFront distribution or for a regional application. For an AWS Amplify application, use `CLOUDFRONT` . A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AWS AppSync GraphQL API, an Amazon Cognito user pool, an AWS App Runner service, or an AWS Verified Access instance. Valid Values are `CLOUDFRONT` and `REGIONAL` .\n\n> For `CLOUDFRONT` , you must create your WAFv2 resources in the US East (N. Virginia) Region, `us-east-1` . \n\nFor information about how to define the association of the web ACL with your resource, see `WebACLAssociation` .", "Tags": "Key:value pairs associated with an AWS resource. The key:value pair can be anything you define. Typically, the tag key represents a category (such as \"environment\") and the tag value represents a specific value within that category (such as \"test,\" \"development,\" or \"production\"). You can add up to 50 tags to each AWS resource.\n\n> To modify tags on existing resources, use the AWS WAF APIs or command line interface. With AWS CloudFormation , you can only add tags to AWS WAF resources during resource creation.", @@ -51120,7 +51655,7 @@ "AWS::WAFv2::WebACL Headers": { "MatchPattern": "The filter to use to identify the subset of headers to inspect in a web request.\n\nYou must specify exactly one setting: either `All` , `IncludedHeaders` , or `ExcludedHeaders` .\n\nExample JSON: `\"MatchPattern\": { \"ExcludedHeaders\": [ \"KeyToExclude1\", \"KeyToExclude2\" ] }`", "MatchScope": "The parts of the headers to match with the rule inspection criteria. If you specify `ALL` , AWS WAF inspects both keys and values.\n\n`All` does not require a match to be found in the keys and a match to be found in the values. It requires a match to be found in the keys or the values or both. To require a match in the keys and in the values, use a logical `AND` statement to combine two match rules, one that inspects the keys and another that inspects the values.", - "OversizeHandling": "What AWS WAF should do if the headers of the request are more numerous or larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request headers when they exceed 8 KB (8192 bytes) or 200 total headers. The underlying host service forwards a maximum of 200 headers and at most 8 KB of header contents to AWS WAF .\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available headers normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement." + "OversizeHandling": "What AWS WAF should do if the headers determined by your match scope are more numerous or larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request headers when they exceed 8 KB (8192 bytes) or 200 total headers. The underlying host service forwards a maximum of 200 headers and at most 8 KB of header contents to AWS WAF .\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available headers normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement." }, "AWS::WAFv2::WebACL IPSetForwardedIPConfiguration": { "FallbackBehavior": "The match status to assign to the web request if the request doesn't have a valid IP address in the specified position.\n\n> If the specified header isn't present in the request, AWS WAF doesn't apply the rule to the web request at all. \n\nYou can specify the following fallback behaviors:\n\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.", @@ -51386,7 +51921,7 @@ "AnswerGenerationAIPromptId": "The AI Prompt identifier for the Answer Generation prompt used by the `ANSWER_RECOMMENDATION` AI Agent.", "AssociationConfigurations": "The association configurations for overriding behavior on this AI Agent.", "IntentLabelingGenerationAIPromptId": "The AI Prompt identifier for the Intent Labeling prompt used by the `ANSWER_RECOMMENDATION` AI Agent.", - "Locale": "", + "Locale": "The locale to which specifies the language and region settings that determine the response language for [QueryAssistant](https://docs.aws.amazon.com/connect/latest/APIReference/API_amazon-q-connect_QueryAssistant.html) .", "QueryReformulationAIPromptId": "The AI Prompt identifier for the Query Reformulation prompt used by the `ANSWER_RECOMMENDATION` AI Agent." }, "AWS::Wisdom::AIAgent AssociationConfiguration": { @@ -51406,7 +51941,7 @@ "AnswerGenerationAIGuardrailId": "The ID of the answer generation AI guardrail.", "AnswerGenerationAIPromptId": "The AI Prompt identifier for the Answer Generation prompt used by the `ANSWER_RECOMMENDATION` AI Agent.", "AssociationConfigurations": "The association configurations for overriding behavior on this AI Agent.", - "Locale": "" + "Locale": "The locale to which specifies the language and region settings that determine the response language for [QueryAssistant](https://docs.aws.amazon.com/connect/latest/APIReference/API_amazon-q-connect_QueryAssistant.html) ." }, "AWS::Wisdom::AIAgent OrCondition": { "AndConditions": "", @@ -51800,6 +52335,7 @@ "Description": "The description of the pool.", "DirectoryId": "The identifier of the directory used by the pool.", "PoolName": "The name of the pool.", + "RunningMode": "The running mode of the pool.", "TimeoutSettings": "The amount of time that a pool session remains active after users disconnect. If they try to reconnect to the pool session after a disconnection or network interruption within this time interval, they are connected to their previous session. Otherwise, they are connected to a new session with a new pool instance." }, "AWS::WorkSpaces::WorkspacesPool ApplicationSettings": { diff --git a/schema_source/cloudformation.schema.json b/schema_source/cloudformation.schema.json index 2d19845b58..45312f7bad 100644 --- a/schema_source/cloudformation.schema.json +++ b/schema_source/cloudformation.schema.json @@ -1498,7 +1498,7 @@ }, "LoggingConfiguration": { "$ref": "#/definitions/AWS::APS::Workspace.LoggingConfiguration", - "markdownDescription": "Contains information about the logging configuration for the workspace.", + "markdownDescription": "Contains information about the current rules and alerting logging configuration for the workspace.\n\n> These logging configurations are only for rules and alerting logs.", "title": "LoggingConfiguration" }, "Tags": { @@ -5973,7 +5973,7 @@ "type": "object" }, "TimeoutInMillis": { - "markdownDescription": "Custom timeout between 50 and 29,000 milliseconds. The default value is 29,000 milliseconds or 29 seconds.", + "markdownDescription": "Custom timeout between 50 and 29,000 milliseconds. The default value is 29,000 milliseconds or 29 seconds. You can increase the default value to longer than 29 seconds for Regional or private APIs only.", "title": "TimeoutInMillis", "type": "number" }, @@ -22795,7 +22795,7 @@ "type": "array" }, "PlacementGroup": { - "markdownDescription": "The name of the placement group into which to launch your instances. For more information, see [Placement groups](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/placement-groups.html) in the *Amazon EC2 User Guide for Linux Instances* .\n\n> A *cluster* placement group is a logical grouping of instances within a single Availability Zone. You cannot specify multiple Availability Zones and a cluster placement group.", + "markdownDescription": "The name of the placement group into which to launch your instances. For more information, see [Placement groups](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/placement-groups.html) in the *Amazon EC2 User Guide* .\n\n> A *cluster* placement group is a logical grouping of instances within a single Availability Zone. You cannot specify multiple Availability Zones and a cluster placement group.", "title": "PlacementGroup", "type": "string" }, @@ -22983,11 +22983,11 @@ }, "BaselineEbsBandwidthMbps": { "$ref": "#/definitions/AWS::AutoScaling::AutoScalingGroup.BaselineEbsBandwidthMbpsRequest", - "markdownDescription": "The minimum and maximum baseline bandwidth performance for an instance type, in Mbps. For more information, see [Amazon EBS\u2013optimized instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-optimized.html) in the *Amazon EC2 User Guide for Linux Instances* .\n\nDefault: No minimum or maximum limits", + "markdownDescription": "The minimum and maximum baseline bandwidth performance for an instance type, in Mbps. For more information, see [Amazon EBS\u2013optimized instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-optimized.html) in the *Amazon EC2 User Guide* .\n\nDefault: No minimum or maximum limits", "title": "BaselineEbsBandwidthMbps" }, "BurstablePerformance": { - "markdownDescription": "Indicates whether burstable performance instance types are included, excluded, or required. For more information, see [Burstable performance instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/burstable-performance-instances.html) in the *Amazon EC2 User Guide for Linux Instances* .\n\nDefault: `excluded`", + "markdownDescription": "Indicates whether burstable performance instance types are included, excluded, or required. For more information, see [Burstable performance instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/burstable-performance-instances.html) in the *Amazon EC2 User Guide* .\n\nDefault: `excluded`", "title": "BurstablePerformance", "type": "string" }, @@ -22995,7 +22995,7 @@ "items": { "type": "string" }, - "markdownDescription": "Lists which specific CPU manufacturers to include.\n\n- For instance types with Intel CPUs, specify `intel` .\n- For instance types with AMD CPUs, specify `amd` .\n- For instance types with AWS CPUs, specify `amazon-web-services` .\n\n> Don't confuse the CPU hardware manufacturer with the CPU hardware architecture. Instances will be launched with a compatible CPU architecture based on the Amazon Machine Image (AMI) that you specify in your launch template. \n\nDefault: Any manufacturer", + "markdownDescription": "Lists which specific CPU manufacturers to include.\n\n- For instance types with Intel CPUs, specify `intel` .\n- For instance types with AMD CPUs, specify `amd` .\n- For instance types with AWS CPUs, specify `amazon-web-services` .\n- For instance types with Apple CPUs, specify `apple` .\n\n> Don't confuse the CPU hardware manufacturer with the CPU hardware architecture. Instances will be launched with a compatible CPU architecture based on the Amazon Machine Image (AMI) that you specify in your launch template. \n\nDefault: Any manufacturer", "title": "CpuManufacturers", "type": "array" }, @@ -23011,12 +23011,12 @@ "items": { "type": "string" }, - "markdownDescription": "Indicates whether current or previous generation instance types are included.\n\n- For current generation instance types, specify `current` . The current generation includes EC2 instance types currently recommended for use. This typically includes the latest two to three generations in each instance family. For more information, see [Instance types](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html) in the *Amazon EC2 User Guide for Linux Instances* .\n- For previous generation instance types, specify `previous` .\n\nDefault: Any current or previous generation", + "markdownDescription": "Indicates whether current or previous generation instance types are included.\n\n- For current generation instance types, specify `current` . The current generation includes EC2 instance types currently recommended for use. This typically includes the latest two to three generations in each instance family. For more information, see [Instance types](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html) in the *Amazon EC2 User Guide* .\n- For previous generation instance types, specify `previous` .\n\nDefault: Any current or previous generation", "title": "InstanceGenerations", "type": "array" }, "LocalStorage": { - "markdownDescription": "Indicates whether instance types with instance store volumes are included, excluded, or required. For more information, see [Amazon EC2 instance store](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/InstanceStorage.html) in the *Amazon EC2 User Guide for Linux Instances* .\n\nDefault: `included`", + "markdownDescription": "Indicates whether instance types with instance store volumes are included, excluded, or required. For more information, see [Amazon EC2 instance store](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/InstanceStorage.html) in the *Amazon EC2 User Guide* .\n\nDefault: `included`", "title": "LocalStorage", "type": "string" }, @@ -23152,7 +23152,7 @@ "title": "InstanceRequirements" }, "InstanceType": { - "markdownDescription": "The instance type, such as `m3.xlarge` . You must specify an instance type that is supported in your requested Region and Availability Zones. For more information, see [Instance types](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html) in the *Amazon EC2 User Guide for Linux Instances* .\n\nYou can specify up to 40 instance types per Auto Scaling group.", + "markdownDescription": "The instance type, such as `m3.xlarge` . You must specify an instance type that is supported in your requested Region and Availability Zones. For more information, see [Instance types](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html) in the *Amazon EC2 User Guide* .\n\nYou can specify up to 40 instance types per Auto Scaling group.", "title": "InstanceType", "type": "string" }, @@ -23470,7 +23470,7 @@ "items": { "$ref": "#/definitions/AWS::AutoScaling::LaunchConfiguration.BlockDeviceMapping" }, - "markdownDescription": "The block device mapping entries that define the block devices to attach to the instances at launch. By default, the block devices specified in the block device mapping for the AMI are used. For more information, see [Block device mappings](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/block-device-mapping-concepts.html) in the *Amazon EC2 User Guide for Linux Instances* .", + "markdownDescription": "The block device mapping entries that define the block devices to attach to the instances at launch. By default, the block devices specified in the block device mapping for the AMI are used. For more information, see [Block device mappings](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/block-device-mapping-concepts.html) in the *Amazon EC2 User Guide* .", "title": "BlockDeviceMappings", "type": "array" }, @@ -23488,7 +23488,7 @@ "type": "array" }, "EbsOptimized": { - "markdownDescription": "Specifies whether the launch configuration is optimized for EBS I/O ( `true` ) or not ( `false` ). The optimization provides dedicated throughput to Amazon EBS and an optimized configuration stack to provide optimal I/O performance. This optimization is not available with all instance types. Additional fees are incurred when you enable EBS optimization for an instance type that is not EBS-optimized by default. For more information, see [Amazon EBS-optimized instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-optimized.html) in the *Amazon EC2 User Guide for Linux Instances* .\n\nThe default value is `false` .", + "markdownDescription": "Specifies whether the launch configuration is optimized for EBS I/O ( `true` ) or not ( `false` ). The optimization provides dedicated throughput to Amazon EBS and an optimized configuration stack to provide optimal I/O performance. This optimization is not available with all instance types. Additional fees are incurred when you enable EBS optimization for an instance type that is not EBS-optimized by default. For more information, see [Amazon EBS-optimized instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-optimized.html) in the *Amazon EC2 User Guide* .\n\nThe default value is `false` .", "title": "EbsOptimized", "type": "boolean" }, @@ -23498,7 +23498,7 @@ "type": "string" }, "ImageId": { - "markdownDescription": "The ID of the Amazon Machine Image (AMI) that was assigned during registration. For more information, see [Find a Linux AMI](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/finding-an-ami.html) in the *Amazon EC2 User Guide for Linux Instances* .\n\nIf you specify `InstanceId` , an `ImageId` is not required.", + "markdownDescription": "The ID of the Amazon Machine Image (AMI) that was assigned during registration. For more information, see [Find a Linux AMI](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/finding-an-ami.html) in the *Amazon EC2 User Guide* .\n\nIf you specify `InstanceId` , an `ImageId` is not required.", "title": "ImageId", "type": "string" }, @@ -23513,17 +23513,17 @@ "type": "boolean" }, "InstanceType": { - "markdownDescription": "Specifies the instance type of the EC2 instance. For information about available instance types, see [Available instance types](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html#AvailableInstanceTypes) in the *Amazon EC2 User Guide for Linux Instances* .\n\nIf you specify `InstanceId` , an `InstanceType` is not required.", + "markdownDescription": "Specifies the instance type of the EC2 instance. For information about available instance types, see [Available instance types](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html#AvailableInstanceTypes) in the *Amazon EC2 User Guide* .\n\nIf you specify `InstanceId` , an `InstanceType` is not required.", "title": "InstanceType", "type": "string" }, "KernelId": { - "markdownDescription": "The ID of the kernel associated with the AMI.\n\n> We recommend that you use PV-GRUB instead of kernels and RAM disks. For more information, see [User provided kernels](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/UserProvidedKernels.html) in the *Amazon EC2 User Guide for Linux Instances* .", + "markdownDescription": "The ID of the kernel associated with the AMI.\n\n> We recommend that you use PV-GRUB instead of kernels and RAM disks. For more information, see [User provided kernels](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/UserProvidedKernels.html) in the *Amazon EC2 User Guide* .", "title": "KernelId", "type": "string" }, "KeyName": { - "markdownDescription": "The name of the key pair. For more information, see [Amazon EC2 key pairs and Amazon EC2 instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html) in the *Amazon EC2 User Guide for Linux Instances* .", + "markdownDescription": "The name of the key pair. For more information, see [Amazon EC2 key pairs and Amazon EC2 instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html) in the *Amazon EC2 User Guide* .", "title": "KeyName", "type": "string" }, @@ -23543,7 +23543,7 @@ "type": "string" }, "RamDiskId": { - "markdownDescription": "The ID of the RAM disk to select.\n\n> We recommend that you use PV-GRUB instead of kernels and RAM disks. For more information, see [User provided kernels](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/UserProvidedKernels.html) in the *Amazon EC2 User Guide for Linux Instances* .", + "markdownDescription": "The ID of the RAM disk to select.\n\n> We recommend that you use PV-GRUB instead of kernels and RAM disks. For more information, see [User provided kernels](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/UserProvidedKernels.html) in the *Amazon EC2 User Guide* .", "title": "RamDiskId", "type": "string" }, @@ -23638,7 +23638,7 @@ "additionalProperties": false, "properties": { "DeviceName": { - "markdownDescription": "The device name assigned to the volume (for example, `/dev/sdh` or `xvdh` ). For more information, see [Device naming on Linux instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/device_naming.html) in the *Amazon EC2 User Guide for Linux Instances* .\n\n> To define a block device mapping, set the device name and exactly one of the following properties: `Ebs` , `NoDevice` , or `VirtualName` .", + "markdownDescription": "The device name assigned to the volume (for example, `/dev/sdh` or `xvdh` ). For more information, see [Device naming on Linux instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/device_naming.html) in the *Amazon EC2 User Guide* .\n\n> To define a block device mapping, set the device name and exactly one of the following properties: `Ebs` , `NoDevice` , or `VirtualName` .", "title": "DeviceName", "type": "string" }, @@ -25876,12 +25876,12 @@ "additionalProperties": false, "properties": { "DeleteAfterDays": { - "markdownDescription": "Specifies the number of days after creation that a recovery point is deleted. Must be greater than `MoveToColdStorageAfterDays` .", + "markdownDescription": "The number of days after creation that a recovery point is deleted. This value must be at least 90 days after the number of days specified in `MoveToColdStorageAfterDays` .", "title": "DeleteAfterDays", "type": "number" }, "MoveToColdStorageAfterDays": { - "markdownDescription": "Specifies the number of days after creation that a recovery point is moved to cold storage.", + "markdownDescription": "The number of days after creation that a recovery point is moved to cold storage.", "title": "MoveToColdStorageAfterDays", "type": "number" }, @@ -35260,7 +35260,7 @@ }, "AutoDeployment": { "$ref": "#/definitions/AWS::CloudFormation::StackSet.AutoDeployment", - "markdownDescription": "Describes whether StackSets automatically deploys to AWS Organizations accounts that are added to a target organization or organizational unit (OU). For more information, see [Manage automatic deployments for CloudFormation StackSets that use service-managed permissions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-manage-auto-deployment.html) in the *AWS CloudFormation User Guide* .\n\nRequired if the permissions model is `SERVICE_MANAGED` . (Not used with self-managed permissions.)", + "markdownDescription": "Describes whether StackSets automatically deploys to AWS Organizations accounts that are added to a target organization or organizational unit (OU). For more information, see [Enable or disable automatic deployments for StackSets in AWS Organizations](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-manage-auto-deployment.html) in the *AWS CloudFormation User Guide* .\n\nRequired if the permissions model is `SERVICE_MANAGED` . (Not used with self-managed permissions.)", "title": "AutoDeployment" }, "CallAs": { @@ -38203,7 +38203,7 @@ "properties": { "KinesisStreamConfig": { "$ref": "#/definitions/AWS::CloudFront::RealtimeLogConfig.KinesisStreamConfig", - "markdownDescription": "Contains information about the Amazon Kinesis data stream where you are sending real-time log data.", + "markdownDescription": "Contains information about the Amazon Kinesis data stream where you are sending real-time log data in a real-time log configuration.", "title": "KinesisStreamConfig" }, "StreamType": { @@ -39426,7 +39426,7 @@ "type": "boolean" }, "KMSKeyId": { - "markdownDescription": "Specifies the AWS KMS key ID to use to encrypt the logs delivered by CloudTrail. The value can be an alias name prefixed by \"alias/\", a fully specified ARN to an alias, a fully specified ARN to a key, or a globally unique identifier.\n\nCloudTrail also supports AWS KMS multi-Region keys. For more information about multi-Region keys, see [Using multi-Region keys](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) in the *AWS Key Management Service Developer Guide* .\n\nExamples:\n\n- alias/MyAliasName\n- arn:aws:kms:us-east-2:123456789012:alias/MyAliasName\n- arn:aws:kms:us-east-2:123456789012:key/12345678-1234-1234-1234-123456789012\n- 12345678-1234-1234-1234-123456789012", + "markdownDescription": "Specifies the AWS KMS key ID to use to encrypt the logs and digest files delivered by CloudTrail. The value can be an alias name prefixed by \"alias/\", a fully specified ARN to an alias, a fully specified ARN to a key, or a globally unique identifier.\n\nCloudTrail also supports AWS KMS multi-Region keys. For more information about multi-Region keys, see [Using multi-Region keys](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) in the *AWS Key Management Service Developer Guide* .\n\nExamples:\n\n- alias/MyAliasName\n- arn:aws:kms:us-east-2:123456789012:alias/MyAliasName\n- arn:aws:kms:us-east-2:123456789012:key/12345678-1234-1234-1234-123456789012\n- 12345678-1234-1234-1234-123456789012", "title": "KMSKeyId", "type": "string" }, @@ -55513,7 +55513,7 @@ "additionalProperties": false, "properties": { "CronExpression": { - "markdownDescription": "The schedule, as a Cron expression. The schedule interval must be between 1 hour and 1 year. For more information, see the [Cron expressions reference](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-cron-expressions.html) in the *Amazon EventBridge User Guide* .", + "markdownDescription": "The schedule, as a Cron expression. The schedule interval must be between 1 hour and 1 year. For more information, see the [Cron and rate expressions](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-scheduled-rule-pattern.html) in the *Amazon EventBridge User Guide* .", "title": "CronExpression", "type": "string" }, @@ -61509,7 +61509,7 @@ "items": { "type": "string" }, - "markdownDescription": "Specifies the Amazon Resource Name (ARN) of the DataSync agent that can connect with your Azure Blob Storage container.\n\nYou can specify more than one agent. For more information, see [Using multiple agents for your transfer](https://docs.aws.amazon.com/datasync/latest/userguide/multiple-agents.html) .", + "markdownDescription": "(Optional) Specifies the Amazon Resource Name (ARN) of the DataSync agent that can connect with your Azure Blob Storage container. If you are setting up an agentless cross-cloud transfer, you do not need to specify a value for this parameter.\n\nYou can specify more than one agent. For more information, see [Using multiple agents for your transfer](https://docs.aws.amazon.com/datasync/latest/userguide/multiple-agents.html) .\n\n> Make sure you configure this parameter correctly when you first create your storage location. You cannot add or remove agents from a storage location after you create it.", "title": "AgentArns", "type": "array" }, @@ -61530,7 +61530,7 @@ }, "AzureBlobSasConfiguration": { "$ref": "#/definitions/AWS::DataSync::LocationAzureBlob.AzureBlobSasConfiguration", - "markdownDescription": "Specifies the SAS configuration that allows DataSync to access your Azure Blob Storage.", + "markdownDescription": "Specifies the SAS configuration that allows DataSync to access your Azure Blob Storage.\n\n> If you provide an authentication token using `SasConfiguration` , but do not provide secret configuration details using `CmkSecretConfig` or `CustomSecretConfig` , then DataSync stores the token using your AWS account's secrets manager secret.", "title": "AzureBlobSasConfiguration" }, "AzureBlobType": { @@ -62551,7 +62551,7 @@ "items": { "type": "string" }, - "markdownDescription": "Specifies the Amazon Resource Names (ARNs) of the DataSync agents that can connect with your object storage system.", + "markdownDescription": "(Optional) Specifies the Amazon Resource Names (ARNs) of the DataSync agents that can connect with your object storage system. If you are setting up an agentless cross-cloud transfer, you do not need to specify a value for this parameter.\n\n> Make sure you configure this parameter correctly when you first create your storage location. You cannot add or remove agents from a storage location after you create it.", "title": "AgentArns", "type": "array" }, @@ -62561,7 +62561,7 @@ "type": "string" }, "SecretKey": { - "markdownDescription": "Specifies the secret key (for example, a password) if credentials are required to authenticate with the object storage server.", + "markdownDescription": "Specifies the secret key (for example, a password) if credentials are required to authenticate with the object storage server.\n\n> If you provide a secret using `SecretKey` , but do not provide secret configuration details using `CmkSecretConfig` or `CustomSecretConfig` , then DataSync stores the token using your AWS account's Secrets Manager secret.", "title": "SecretKey", "type": "string" }, @@ -62581,7 +62581,7 @@ "type": "number" }, "ServerProtocol": { - "markdownDescription": "Specifies the protocol that your object storage server uses to communicate.", + "markdownDescription": "Specifies the protocol that your object storage server uses to communicate. If not specified, the default value is `HTTPS` .", "title": "ServerProtocol", "type": "string" }, @@ -62888,41 +62888,27 @@ "items": { "type": "string" }, - "markdownDescription": "Specifies the Amazon Resource Name (ARN) of the DataSync agent that connects to and reads from your on-premises storage system's management interface. You can only specify one ARN.", - "title": "AgentArns", "type": "array" }, "CloudWatchLogGroupArn": { - "markdownDescription": "Specifies the ARN of the Amazon CloudWatch log group for monitoring and logging discovery job events.", - "title": "CloudWatchLogGroupArn", "type": "string" }, "Name": { - "markdownDescription": "Specifies a familiar name for your on-premises storage system.", - "title": "Name", "type": "string" }, "ServerConfiguration": { - "$ref": "#/definitions/AWS::DataSync::StorageSystem.ServerConfiguration", - "markdownDescription": "Specifies the server name and network port required to connect with the management interface of your on-premises storage system.", - "title": "ServerConfiguration" + "$ref": "#/definitions/AWS::DataSync::StorageSystem.ServerConfiguration" }, "ServerCredentials": { - "$ref": "#/definitions/AWS::DataSync::StorageSystem.ServerCredentials", - "markdownDescription": "Specifies the user name and password for accessing your on-premises storage system's management interface.", - "title": "ServerCredentials" + "$ref": "#/definitions/AWS::DataSync::StorageSystem.ServerCredentials" }, "SystemType": { - "markdownDescription": "Specifies the type of on-premises storage system that you want DataSync Discovery to collect information about.\n\n> DataSync Discovery currently supports NetApp Fabric-Attached Storage (FAS) and All Flash FAS (AFF) systems running ONTAP 9.7 or later.", - "title": "SystemType", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "Specifies labels that help you categorize, filter, and search for your AWS resources. We recommend creating at least a name tag for your on-premises storage system.", - "title": "Tags", "type": "array" } }, @@ -62958,13 +62944,9 @@ "additionalProperties": false, "properties": { "ServerHostname": { - "markdownDescription": "The domain name or IP address of your storage system's management interface.", - "title": "ServerHostname", "type": "string" }, "ServerPort": { - "markdownDescription": "The network port for accessing the storage system's management interface.", - "title": "ServerPort", "type": "number" } }, @@ -62977,13 +62959,9 @@ "additionalProperties": false, "properties": { "Password": { - "markdownDescription": "Specifies the password for your storage system's management interface.", - "title": "Password", "type": "string" }, "Username": { - "markdownDescription": "Specifies the user name for your storage system's management interface.", - "title": "Username", "type": "string" } }, @@ -63089,7 +63067,7 @@ }, "TaskReportConfig": { "$ref": "#/definitions/AWS::DataSync::Task.TaskReportConfig", - "markdownDescription": "Specifies how you want to configure a task report, which provides detailed information about your DataSync transfer. For more information, see [Monitoring your DataSync transfers with task reports](https://docs.aws.amazon.com/datasync/latest/userguide/task-reports.html) .\n\nWhen using this parameter, your caller identity (the role that you're using DataSync with) must have the `iam:PassRole` permission. The [AWSDataSyncFullAccess](https://docs.aws.amazon.com/datasync/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-awsdatasyncfullaccess) policy includes this permission.", + "markdownDescription": "The configuration of your task report, which provides detailed information about your DataSync transfer. For more information, see [Monitoring your DataSync transfers with task reports](https://docs.aws.amazon.com/datasync/latest/userguide/task-reports.html) .", "title": "TaskReportConfig" } }, @@ -63124,7 +63102,7 @@ "additionalProperties": false, "properties": { "ReportLevel": { - "markdownDescription": "Specifies whether you want your task report to include only what went wrong with your transfer or a list of what succeeded and didn't.\n\n- `ERRORS_ONLY` : A report shows what DataSync was unable to delete.\n- `SUCCESSES_AND_ERRORS` : A report shows what DataSync was able and unable to delete.", + "markdownDescription": "", "title": "ReportLevel", "type": "string" } @@ -63136,7 +63114,7 @@ "properties": { "S3": { "$ref": "#/definitions/AWS::DataSync::Task.TaskReportConfigDestinationS3", - "markdownDescription": "Specifies the Amazon S3 bucket where DataSync uploads your task report.", + "markdownDescription": "", "title": "S3" } }, @@ -63186,22 +63164,22 @@ "additionalProperties": false, "properties": { "BucketAccessRoleArn": { - "markdownDescription": "Specifies the AWS Identity and Access Management (IAM) role that allows DataSync to access your manifest. For more information, see [Providing DataSync access to your manifest](https://docs.aws.amazon.com/datasync/latest/userguide/transferring-with-manifest.html#transferring-with-manifest-access) .", + "markdownDescription": "", "title": "BucketAccessRoleArn", "type": "string" }, "ManifestObjectPath": { - "markdownDescription": "Specifies the Amazon S3 object key of your manifest. This can include a prefix (for example, `prefix/my-manifest.csv` ).", + "markdownDescription": "", "title": "ManifestObjectPath", "type": "string" }, "ManifestObjectVersionId": { - "markdownDescription": "Specifies the object version ID of the manifest that you want DataSync to use. If you don't set this, DataSync uses the latest version of the object.", + "markdownDescription": "", "title": "ManifestObjectVersionId", "type": "string" }, "S3BucketArn": { - "markdownDescription": "Specifies the Amazon Resource Name (ARN) of the S3 bucket where you're hosting your manifest.", + "markdownDescription": "", "title": "S3BucketArn", "type": "string" } @@ -63294,22 +63272,22 @@ "properties": { "Deleted": { "$ref": "#/definitions/AWS::DataSync::Task.Deleted", - "markdownDescription": "Specifies the level of reporting for the files, objects, and directories that DataSync attempted to delete in your destination location. This only applies if you [configure your task](https://docs.aws.amazon.com/datasync/latest/userguide/configure-metadata.html) to delete data in the destination that isn't in the source.", + "markdownDescription": "", "title": "Deleted" }, "Skipped": { "$ref": "#/definitions/AWS::DataSync::Task.Skipped", - "markdownDescription": "Specifies the level of reporting for the files, objects, and directories that DataSync attempted to skip during your transfer.", + "markdownDescription": "", "title": "Skipped" }, "Transferred": { "$ref": "#/definitions/AWS::DataSync::Task.Transferred", - "markdownDescription": "Specifies the level of reporting for the files, objects, and directories that DataSync attempted to transfer.", + "markdownDescription": "", "title": "Transferred" }, "Verified": { "$ref": "#/definitions/AWS::DataSync::Task.Verified", - "markdownDescription": "Specifies the level of reporting for the files, objects, and directories that DataSync attempted to verify during your transfer.", + "markdownDescription": "", "title": "Verified" } }, @@ -63319,7 +63297,7 @@ "additionalProperties": false, "properties": { "ReportLevel": { - "markdownDescription": "Specifies whether you want your task report to include only what went wrong with your transfer or a list of what succeeded and didn't.\n\n- `ERRORS_ONLY` : A report shows what DataSync was unable to skip.\n- `SUCCESSES_AND_ERRORS` : A report shows what DataSync was able and unable to skip.", + "markdownDescription": "", "title": "ReportLevel", "type": "string" } @@ -63331,7 +63309,7 @@ "properties": { "S3": { "$ref": "#/definitions/AWS::DataSync::Task.ManifestConfigSourceS3", - "markdownDescription": "Specifies the S3 bucket where you're hosting your manifest.", + "markdownDescription": "", "title": "S3" } }, @@ -63376,17 +63354,17 @@ "additionalProperties": false, "properties": { "BucketAccessRoleArn": { - "markdownDescription": "Specifies the Amazon Resource Name (ARN) of the IAM policy that allows DataSync to upload a task report to your S3 bucket. For more information, see [Allowing DataSync to upload a task report to an Amazon S3 bucket](https://docs.aws.amazon.com/datasync/latest/userguide/task-reports.html) .", + "markdownDescription": "", "title": "BucketAccessRoleArn", "type": "string" }, "S3BucketArn": { - "markdownDescription": "Specifies the ARN of the S3 bucket where DataSync uploads your report.", + "markdownDescription": "", "title": "S3BucketArn", "type": "string" }, "Subdirectory": { - "markdownDescription": "Specifies a bucket prefix for your report.", + "markdownDescription": "", "title": "Subdirectory", "type": "string" } @@ -63402,7 +63380,7 @@ "type": "string" }, "Status": { - "markdownDescription": "Specifies whether to enable or disable your task schedule. Your schedule is enabled by default, but there can be situations where you need to disable it. For example, you might need to perform maintenance on a storage system before you can begin a recurring DataSync transfer.\n\nDataSync might disable your schedule automatically if your task fails repeatedly with the same error. For more information, see the [*DataSync User Guide*](https://docs.aws.amazon.com/datasync/latest/userguide/task-scheduling.html#pause-task-schedule) .", + "markdownDescription": "Specifies whether to enable or disable your task schedule. Your schedule is enabled by default, but there can be situations where you need to disable it. For example, you might need to pause a recurring transfer to fix an issue with your task or perform maintenance on your storage system.\n\nDataSync might disable your schedule automatically if your task fails repeatedly with the same error. For more information, see [TaskScheduleDetails](https://docs.aws.amazon.com/datasync/latest/userguide/API_TaskScheduleDetails.html) .", "title": "Status", "type": "string" } @@ -63413,7 +63391,7 @@ "additionalProperties": false, "properties": { "ReportLevel": { - "markdownDescription": "Specifies whether you want your task report to include only what went wrong with your transfer or a list of what succeeded and didn't.\n\n- `ERRORS_ONLY` : A report shows what DataSync was unable to transfer.\n- `SUCCESSES_AND_ERRORS` : A report shows what DataSync was able and unable to transfer.", + "markdownDescription": "", "title": "ReportLevel", "type": "string" } @@ -63424,7 +63402,7 @@ "additionalProperties": false, "properties": { "ReportLevel": { - "markdownDescription": "Specifies whether you want your task report to include only what went wrong with your transfer or a list of what succeeded and didn't.\n\n- `ERRORS_ONLY` : A report shows what DataSync was unable to verify.\n- `SUCCESSES_AND_ERRORS` : A report shows what DataSync was able and unable to verify.", + "markdownDescription": "", "title": "ReportLevel", "type": "string" } @@ -66554,7 +66532,7 @@ "type": "array" }, "EngineVersion": { - "markdownDescription": "The version number of the database engine to use. The `--engine-version` will default to the latest major engine version. For production workloads, we recommend explicitly declaring this parameter with the intended major engine version.\n\nChanging the `EngineVersion` will start an in-place engine version upgrade. Note that in-place engine version upgrade will cause downtime in the cluster. See [Amazon DocumentDB in-place major version upgrade](https://docs.aws.amazon.com/documentdb/latest/developerguide/docdb-mvu.html) before starting an in-place engine version upgrade.", + "markdownDescription": "The version number of the database engine to use. The `--engine-version` will default to the latest major engine version. For production workloads, we recommend explicitly declaring this parameter with the intended major engine version.\n\nIf you intend to trigger an in-place upgrade, please refer to [Amazon DocumentDB in-place major version upgrade](https://docs.aws.amazon.com/documentdb/latest/developerguide/docdb-mvu.html) . Note that for an in-place engine version upgrade, you need to remove other cluster properties changes (e.g. SecurityGroupId) from the CFN template.", "title": "EngineVersion", "type": "string" }, @@ -68030,7 +68008,7 @@ }, "ProvisionedThroughput": { "$ref": "#/definitions/AWS::DynamoDB::Table.ProvisionedThroughput", - "markdownDescription": "Represents the provisioned throughput settings for the specified global secondary index.\n\nFor current minimum and maximum provisioned throughput values, see [Service, Account, and Table Quotas](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Limits.html) in the *Amazon DynamoDB Developer Guide* .", + "markdownDescription": "Represents the provisioned throughput settings for the specified global secondary index. You must use either `OnDemandThroughput` or `ProvisionedThroughput` based on your table's capacity mode.\n\nFor current minimum and maximum provisioned throughput values, see [Service, Account, and Table Quotas](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Limits.html) in the *Amazon DynamoDB Developer Guide* .", "title": "ProvisionedThroughput" } }, @@ -69786,7 +69764,7 @@ "items": { "type": "string" }, - "markdownDescription": "The accelerator types that must be on the instance type.\n\n- For instance types with FPGA accelerators, specify `fpga` .\n- For instance types with GPU accelerators, specify `gpu` .\n\nDefault: Any accelerator type", + "markdownDescription": "The accelerator types that must be on the instance type.\n\n- For instance types with FPGA accelerators, specify `fpga` .\n- For instance types with GPU accelerators, specify `gpu` .\n- For instance types with Inference accelerators, specify `inference` .\n\nDefault: Any accelerator type", "title": "AcceleratorTypes", "type": "array" }, @@ -72887,7 +72865,7 @@ "items": { "type": "string" }, - "markdownDescription": "The accelerator types that must be on the instance type.\n\n- For instance types with FPGA accelerators, specify `fpga` .\n- For instance types with GPU accelerators, specify `gpu` .\n\nDefault: Any accelerator type", + "markdownDescription": "The accelerator types that must be on the instance type.\n\n- For instance types with FPGA accelerators, specify `fpga` .\n- For instance types with GPU accelerators, specify `gpu` .\n- For instance types with Inference accelerators, specify `inference` .\n\nDefault: Any accelerator type", "title": "AcceleratorTypes", "type": "array" }, @@ -77407,7 +77385,7 @@ "items": { "type": "string" }, - "markdownDescription": "The accelerator types that must be on the instance type.\n\n- For instance types with FPGA accelerators, specify `fpga` .\n- For instance types with GPU accelerators, specify `gpu` .\n\nDefault: Any accelerator type", + "markdownDescription": "The accelerator types that must be on the instance type.\n\n- For instance types with FPGA accelerators, specify `fpga` .\n- For instance types with GPU accelerators, specify `gpu` .\n- For instance types with Inference accelerators, specify `inference` .\n\nDefault: Any accelerator type", "title": "AcceleratorTypes", "type": "array" }, @@ -78935,12 +78913,12 @@ "type": "string" }, "DefaultRouteTableAssociation": { - "markdownDescription": "Enable or disable automatic association with the default association route table. Enabled by default.", + "markdownDescription": "Enable or disable automatic association with the default association route table. Enabled by default. If `DefaultRouteTableAssociation` is set to enable, AWS Transit Gateway will create the default transit gateway route table.", "title": "DefaultRouteTableAssociation", "type": "string" }, "DefaultRouteTablePropagation": { - "markdownDescription": "Enable or disable automatic propagation of routes to the default propagation route table. Enabled by default.", + "markdownDescription": "Enable or disable automatic propagation of routes to the default propagation route table. Enabled by default. If `DefaultRouteTablePropagation` is set to enable, AWS Transit Gateway will create the default transit gateway route table.", "title": "DefaultRouteTablePropagation", "type": "string" }, @@ -79600,12 +79578,12 @@ "type": "string" }, "PeerRegion": { - "markdownDescription": "The Region of the transit gateway.", + "markdownDescription": "The Region where the transit gateway that you want to create the peer for is located.", "title": "PeerRegion", "type": "string" }, "PeerTransitGatewayId": { - "markdownDescription": "The ID of the transit gateway.", + "markdownDescription": "The ID of the transit gateway in the PeerRegion.", "title": "PeerTransitGatewayId", "type": "string" }, @@ -83809,7 +83787,7 @@ }, "Options": { "additionalProperties": true, - "markdownDescription": "The configuration options to send to the log driver.\n\nThe options you can specify depend on the log driver. Some of the options you can specify when you use the `awslogs` log driver to route logs to Amazon CloudWatch include the following:\n\n- **awslogs-create-group** - Required: No\n\nSpecify whether you want the log group to be created automatically. If this option isn't specified, it defaults to `false` .\n\n> Your IAM policy must include the `logs:CreateLogGroup` permission before you attempt to use `awslogs-create-group` .\n- **awslogs-region** - Required: Yes\n\nSpecify the AWS Region that the `awslogs` log driver is to send your Docker logs to. You can choose to send all of your logs from clusters in different Regions to a single region in CloudWatch Logs. This is so that they're all visible in one location. Otherwise, you can separate them by Region for more granularity. Make sure that the specified log group exists in the Region that you specify with this option.\n- **awslogs-group** - Required: Yes\n\nMake sure to specify a log group that the `awslogs` log driver sends its log streams to.\n- **awslogs-stream-prefix** - Required: Yes, when using Fargate.Optional when using EC2.\n\nUse the `awslogs-stream-prefix` option to associate a log stream with the specified prefix, the container name, and the ID of the Amazon ECS task that the container belongs to. If you specify a prefix with this option, then the log stream takes the format `prefix-name/container-name/ecs-task-id` .\n\nIf you don't specify a prefix with this option, then the log stream is named after the container ID that's assigned by the Docker daemon on the container instance. Because it's difficult to trace logs back to the container that sent them with just the Docker container ID (which is only available on the container instance), we recommend that you specify a prefix with this option.\n\nFor Amazon ECS services, you can use the service name as the prefix. Doing so, you can trace log streams to the service that the container belongs to, the name of the container that sent them, and the ID of the task that the container belongs to.\n\nYou must specify a stream-prefix for your logs to have your logs appear in the Log pane when using the Amazon ECS console.\n- **awslogs-datetime-format** - Required: No\n\nThis option defines a multiline start pattern in Python `strftime` format. A log message consists of a line that matches the pattern and any following lines that don\u2019t match the pattern. The matched line is the delimiter between log messages.\n\nOne example of a use case for using this format is for parsing output such as a stack dump, which might otherwise be logged in multiple entries. The correct pattern allows it to be captured in a single entry.\n\nFor more information, see [awslogs-datetime-format](https://docs.aws.amazon.com/https://docs.docker.com/config/containers/logging/awslogs/#awslogs-datetime-format) .\n\nYou cannot configure both the `awslogs-datetime-format` and `awslogs-multiline-pattern` options.\n\n> Multiline logging performs regular expression parsing and matching of all log messages. This might have a negative impact on logging performance.\n- **awslogs-multiline-pattern** - Required: No\n\nThis option defines a multiline start pattern that uses a regular expression. A log message consists of a line that matches the pattern and any following lines that don\u2019t match the pattern. The matched line is the delimiter between log messages.\n\nFor more information, see [awslogs-multiline-pattern](https://docs.aws.amazon.com/https://docs.docker.com/config/containers/logging/awslogs/#awslogs-multiline-pattern) .\n\nThis option is ignored if `awslogs-datetime-format` is also configured.\n\nYou cannot configure both the `awslogs-datetime-format` and `awslogs-multiline-pattern` options.\n\n> Multiline logging performs regular expression parsing and matching of all log messages. This might have a negative impact on logging performance.\n\nThe following options apply to all supported log drivers.\n\n- **mode** - Required: No\n\nValid values: `non-blocking` | `blocking`\n\nThis option defines the delivery mode of log messages from the container to the log driver specified using `logDriver` . The delivery mode you choose affects application availability when the flow of logs from container is interrupted.\n\nIf you use the `blocking` mode and the flow of logs is interrupted, calls from container code to write to the `stdout` and `stderr` streams will block. The logging thread of the application will block as a result. This may cause the application to become unresponsive and lead to container healthcheck failure.\n\nIf you use the `non-blocking` mode, the container's logs are instead stored in an in-memory intermediate buffer configured with the `max-buffer-size` option. This prevents the application from becoming unresponsive when logs cannot be sent. We recommend using this mode if you want to ensure service availability and are okay with some log loss. For more information, see [Preventing log loss with non-blocking mode in the `awslogs` container log driver](https://docs.aws.amazon.com/containers/preventing-log-loss-with-non-blocking-mode-in-the-awslogs-container-log-driver/) .\n\nYou can set a default `mode` for all containers in a specific AWS Region by using the `defaultLogDriverMode` account setting. If you don't specify the `mode` option or configure the account setting, Amazon ECS will default to the `blocking` mode. For more information about the account setting, see [Default log driver mode](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-account-settings.html#default-log-driver-mode) in the *Amazon Elastic Container Service Developer Guide* .\n- **max-buffer-size** - Required: No\n\nDefault value: `1m`\n\nWhen `non-blocking` mode is used, the `max-buffer-size` log option controls the size of the buffer that's used for intermediate message storage. Make sure to specify an adequate buffer size based on your application. When the buffer fills up, further logs cannot be stored. Logs that cannot be stored are lost.\n\nTo route logs using the `splunk` log router, you need to specify a `splunk-token` and a `splunk-url` .\n\nWhen you use the `awsfirelens` log router to route logs to an AWS Service or AWS Partner Network destination for log storage and analytics, you can set the `log-driver-buffer-limit` option to limit the number of events that are buffered in memory, before being sent to the log router container. It can help to resolve potential log loss issue because high throughput might result in memory running out for the buffer inside of Docker.\n\nOther options you can specify when using `awsfirelens` to route logs depend on the destination. When you export logs to Amazon Data Firehose, you can specify the AWS Region with `region` and a name for the log stream with `delivery_stream` .\n\nWhen you export logs to Amazon Kinesis Data Streams, you can specify an AWS Region with `region` and a data stream name with `stream` .\n\nWhen you export logs to Amazon OpenSearch Service, you can specify options like `Name` , `Host` (OpenSearch Service endpoint without protocol), `Port` , `Index` , `Type` , `Aws_auth` , `Aws_region` , `Suppress_Type_Name` , and `tls` . For more information, see [Under the hood: FireLens for Amazon ECS Tasks](https://docs.aws.amazon.com/containers/under-the-hood-firelens-for-amazon-ecs-tasks/) .\n\nWhen you export logs to Amazon S3, you can specify the bucket using the `bucket` option. You can also specify `region` , `total_file_size` , `upload_timeout` , and `use_put_object` as options.\n\nThis parameter requires version 1.19 of the Docker Remote API or greater on your container instance. To check the Docker Remote API version on your container instance, log in to your container instance and run the following command: `sudo docker version --format '{{.Server.APIVersion}}'`", + "markdownDescription": "The configuration options to send to the log driver.\n\nThe options you can specify depend on the log driver. Some of the options you can specify when you use the `awslogs` log driver to route logs to Amazon CloudWatch include the following:\n\n- **awslogs-create-group** - Required: No\n\nSpecify whether you want the log group to be created automatically. If this option isn't specified, it defaults to `false` .\n\n> Your IAM policy must include the `logs:CreateLogGroup` permission before you attempt to use `awslogs-create-group` .\n- **awslogs-region** - Required: Yes\n\nSpecify the AWS Region that the `awslogs` log driver is to send your Docker logs to. You can choose to send all of your logs from clusters in different Regions to a single region in CloudWatch Logs. This is so that they're all visible in one location. Otherwise, you can separate them by Region for more granularity. Make sure that the specified log group exists in the Region that you specify with this option.\n- **awslogs-group** - Required: Yes\n\nMake sure to specify a log group that the `awslogs` log driver sends its log streams to.\n- **awslogs-stream-prefix** - Required: Yes, when using Fargate.Optional when using EC2.\n\nUse the `awslogs-stream-prefix` option to associate a log stream with the specified prefix, the container name, and the ID of the Amazon ECS task that the container belongs to. If you specify a prefix with this option, then the log stream takes the format `prefix-name/container-name/ecs-task-id` .\n\nIf you don't specify a prefix with this option, then the log stream is named after the container ID that's assigned by the Docker daemon on the container instance. Because it's difficult to trace logs back to the container that sent them with just the Docker container ID (which is only available on the container instance), we recommend that you specify a prefix with this option.\n\nFor Amazon ECS services, you can use the service name as the prefix. Doing so, you can trace log streams to the service that the container belongs to, the name of the container that sent them, and the ID of the task that the container belongs to.\n\nYou must specify a stream-prefix for your logs to have your logs appear in the Log pane when using the Amazon ECS console.\n- **awslogs-datetime-format** - Required: No\n\nThis option defines a multiline start pattern in Python `strftime` format. A log message consists of a line that matches the pattern and any following lines that don\u2019t match the pattern. The matched line is the delimiter between log messages.\n\nOne example of a use case for using this format is for parsing output such as a stack dump, which might otherwise be logged in multiple entries. The correct pattern allows it to be captured in a single entry.\n\nFor more information, see [awslogs-datetime-format](https://docs.aws.amazon.com/https://docs.docker.com/config/containers/logging/awslogs/#awslogs-datetime-format) .\n\nYou cannot configure both the `awslogs-datetime-format` and `awslogs-multiline-pattern` options.\n\n> Multiline logging performs regular expression parsing and matching of all log messages. This might have a negative impact on logging performance.\n- **awslogs-multiline-pattern** - Required: No\n\nThis option defines a multiline start pattern that uses a regular expression. A log message consists of a line that matches the pattern and any following lines that don\u2019t match the pattern. The matched line is the delimiter between log messages.\n\nFor more information, see [awslogs-multiline-pattern](https://docs.aws.amazon.com/https://docs.docker.com/config/containers/logging/awslogs/#awslogs-multiline-pattern) .\n\nThis option is ignored if `awslogs-datetime-format` is also configured.\n\nYou cannot configure both the `awslogs-datetime-format` and `awslogs-multiline-pattern` options.\n\n> Multiline logging performs regular expression parsing and matching of all log messages. This might have a negative impact on logging performance.\n\nThe following options apply to all supported log drivers.\n\n- **mode** - Required: No\n\nValid values: `non-blocking` | `blocking`\n\nThis option defines the delivery mode of log messages from the container to the log driver specified using `logDriver` . The delivery mode you choose affects application availability when the flow of logs from container is interrupted.\n\nIf you use the `blocking` mode and the flow of logs is interrupted, calls from container code to write to the `stdout` and `stderr` streams will block. The logging thread of the application will block as a result. This may cause the application to become unresponsive and lead to container healthcheck failure.\n\nIf you use the `non-blocking` mode, the container's logs are instead stored in an in-memory intermediate buffer configured with the `max-buffer-size` option. This prevents the application from becoming unresponsive when logs cannot be sent. We recommend using this mode if you want to ensure service availability and are okay with some log loss. For more information, see [Preventing log loss with non-blocking mode in the `awslogs` container log driver](https://docs.aws.amazon.com/containers/preventing-log-loss-with-non-blocking-mode-in-the-awslogs-container-log-driver/) .\n\nYou can set a default `mode` for all containers in a specific AWS Region by using the `defaultLogDriverMode` account setting. If you don't specify the `mode` option or configure the account setting, Amazon ECS will default to the `blocking` mode. For more information about the account setting, see [Default log driver mode](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-account-settings.html#default-log-driver-mode) in the *Amazon Elastic Container Service Developer Guide* .\n\n> On June 25, 2025, Amazon ECS is changing the default log driver mode from `blocking` to `non-blocking` to prioritize task availability over logging. To continue using the `blocking` mode after this change, do one of the following:\n> \n> - Set the `mode` option in your container definition's `logConfiguration` as `blocking` .\n> - Set the `defaultLogDriverMode` account setting to `blocking` .\n- **max-buffer-size** - Required: No\n\nDefault value: `1m`\n\nWhen `non-blocking` mode is used, the `max-buffer-size` log option controls the size of the buffer that's used for intermediate message storage. Make sure to specify an adequate buffer size based on your application. When the buffer fills up, further logs cannot be stored. Logs that cannot be stored are lost.\n\nTo route logs using the `splunk` log router, you need to specify a `splunk-token` and a `splunk-url` .\n\nWhen you use the `awsfirelens` log router to route logs to an AWS Service or AWS Partner Network destination for log storage and analytics, you can set the `log-driver-buffer-limit` option to limit the number of events that are buffered in memory, before being sent to the log router container. It can help to resolve potential log loss issue because high throughput might result in memory running out for the buffer inside of Docker.\n\nOther options you can specify when using `awsfirelens` to route logs depend on the destination. When you export logs to Amazon Data Firehose, you can specify the AWS Region with `region` and a name for the log stream with `delivery_stream` .\n\nWhen you export logs to Amazon Kinesis Data Streams, you can specify an AWS Region with `region` and a data stream name with `stream` .\n\nWhen you export logs to Amazon OpenSearch Service, you can specify options like `Name` , `Host` (OpenSearch Service endpoint without protocol), `Port` , `Index` , `Type` , `Aws_auth` , `Aws_region` , `Suppress_Type_Name` , and `tls` . For more information, see [Under the hood: FireLens for Amazon ECS Tasks](https://docs.aws.amazon.com/containers/under-the-hood-firelens-for-amazon-ecs-tasks/) .\n\nWhen you export logs to Amazon S3, you can specify the bucket using the `bucket` option. You can also specify `region` , `total_file_size` , `upload_timeout` , and `use_put_object` as options.\n\nThis parameter requires version 1.19 of the Docker Remote API or greater on your container instance. To check the Docker Remote API version on your container instance, log in to your container instance and run the following command: `sudo docker version --format '{{.Server.APIVersion}}'`", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" @@ -84030,12 +84008,12 @@ "additionalProperties": false, "properties": { "Encrypted": { - "markdownDescription": "Indicates whether the volume should be encrypted. If no value is specified, encryption is turned on by default. This parameter maps 1:1 with the `Encrypted` parameter of the [CreateVolume API](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateVolume.html) in the *Amazon EC2 API Reference* .", + "markdownDescription": "Indicates whether the volume should be encrypted. If you turn on Region-level Amazon EBS encryption by default but set this value as `false` , the setting is overridden and the volume is encrypted with the KMS key specified for Amazon EBS encryption by default. This parameter maps 1:1 with the `Encrypted` parameter of the [CreateVolume API](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateVolume.html) in the *Amazon EC2 API Reference* .", "title": "Encrypted", "type": "boolean" }, "FilesystemType": { - "markdownDescription": "The filesystem type for the volume. For volumes created from a snapshot, you must specify the same filesystem type that the volume was using when the snapshot was created. If there is a filesystem type mismatch, the task will fail to start.\n\nThe available Linux filesystem types are `ext3` , `ext4` , and `xfs` . If no value is specified, the `xfs` filesystem type is used by default.\n\nThe available Windows filesystem types are `NTFS` .", + "markdownDescription": "The filesystem type for the volume. For volumes created from a snapshot, you must specify the same filesystem type that the volume was using when the snapshot was created. If there is a filesystem type mismatch, the tasks will fail to start.\n\nThe available Linux filesystem types are `ext3` , `ext4` , and `xfs` . If no value is specified, the `xfs` filesystem type is used by default.\n\nThe available Windows filesystem types are `NTFS` .", "title": "FilesystemType", "type": "string" }, @@ -84045,7 +84023,7 @@ "type": "number" }, "KmsKeyId": { - "markdownDescription": "The Amazon Resource Name (ARN) identifier of the AWS Key Management Service key to use for Amazon EBS encryption. When encryption is turned on and no AWS Key Management Service key is specified, the default AWS managed key for Amazon EBS volumes is used. This parameter maps 1:1 with the `KmsKeyId` parameter of the [CreateVolume API](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateVolume.html) in the *Amazon EC2 API Reference* .\n\n> AWS authenticates the AWS Key Management Service key asynchronously. Therefore, if you specify an ID, alias, or ARN that is invalid, the action can appear to complete, but eventually fails.", + "markdownDescription": "The Amazon Resource Name (ARN) identifier of the AWS Key Management Service key to use for Amazon EBS encryption. When a key is specified using this parameter, it overrides Amazon EBS default encryption or any KMS key that you specified for cluster-level managed storage encryption. This parameter maps 1:1 with the `KmsKeyId` parameter of the [CreateVolume API](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateVolume.html) in the *Amazon EC2 API Reference* . For more information about encrypting Amazon EBS volumes attached to tasks, see [Encrypt data stored in Amazon EBS volumes attached to Amazon ECS tasks](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ebs-kms-encryption.html) .\n\n> AWS authenticates the AWS Key Management Service key asynchronously. Therefore, if you specify an ID, alias, or ARN that is invalid, the action can appear to complete, but eventually fails.", "title": "KmsKeyId", "type": "string" }, @@ -84060,7 +84038,7 @@ "type": "number" }, "SnapshotId": { - "markdownDescription": "The snapshot that Amazon ECS uses to create the volume. You must specify either a snapshot ID or a volume size. This parameter maps 1:1 with the `SnapshotId` parameter of the [CreateVolume API](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateVolume.html) in the *Amazon EC2 API Reference* .", + "markdownDescription": "The snapshot that Amazon ECS uses to create volumes for attachment to tasks maintained by the service. You must specify either `snapshotId` or `sizeInGiB` in your volume configuration. This parameter maps 1:1 with the `SnapshotId` parameter of the [CreateVolume API](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateVolume.html) in the *Amazon EC2 API Reference* .", "title": "SnapshotId", "type": "string" }, @@ -84193,7 +84171,7 @@ "type": "array" }, "Cpu": { - "markdownDescription": "The number of `cpu` units used by the task. If you use the EC2 launch type, this field is optional. Any value can be used. If you use the Fargate launch type, this field is required. You must use one of the following values. The value that you choose determines your range of valid values for the `memory` parameter.\n\nIf you're using the EC2 launch type or the external launch type, this field is optional. Supported values are between `128` CPU units ( `0.125` vCPUs) and `196608` CPU units ( `192` vCPUs). The CPU units cannot be less than 1 vCPU when you use Windows containers on Fargate.\n\n- 256 (.25 vCPU) - Available `memory` values: 512 (0.5 GB), 1024 (1 GB), 2048 (2 GB)\n- 512 (.5 vCPU) - Available `memory` values: 1024 (1 GB), 2048 (2 GB), 3072 (3 GB), 4096 (4 GB)\n- 1024 (1 vCPU) - Available `memory` values: 2048 (2 GB), 3072 (3 GB), 4096 (4 GB), 5120 (5 GB), 6144 (6 GB), 7168 (7 GB), 8192 (8 GB)\n- 2048 (2 vCPU) - Available `memory` values: 4096 (4 GB) and 16384 (16 GB) in increments of 1024 (1 GB)\n- 4096 (4 vCPU) - Available `memory` values: 8192 (8 GB) and 30720 (30 GB) in increments of 1024 (1 GB)\n- 8192 (8 vCPU) - Available `memory` values: 16 GB and 60 GB in 4 GB increments\n\nThis option requires Linux platform `1.4.0` or later.\n- 16384 (16vCPU) - Available `memory` values: 32GB and 120 GB in 8 GB increments\n\nThis option requires Linux platform `1.4.0` or later.", + "markdownDescription": "The number of `cpu` units used by the task. If you use the EC2 launch type, this field is optional. Any value can be used. If you use the Fargate launch type, this field is required. You must use one of the following values. The value that you choose determines your range of valid values for the `memory` parameter.\n\nIf you're using the EC2 launch type or the external launch type, this field is optional. Supported values are between `128` CPU units ( `0.125` vCPUs) and `196608` CPU units ( `192` vCPUs).\n\nThis field is required for Fargate. For information about the valid values, see [Task size](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#task_size) in the *Amazon Elastic Container Service Developer Guide* .", "title": "Cpu", "type": "string" }, @@ -84354,7 +84332,7 @@ "items": { "$ref": "#/definitions/AWS::ECS::TaskDefinition.ContainerDependency" }, - "markdownDescription": "The dependencies defined for container startup and shutdown. A container can contain multiple dependencies. When a dependency is defined for container startup, for container shutdown it is reversed.\n\nFor tasks using the EC2 launch type, the container instances require at least version 1.26.0 of the container agent to turn on container dependencies. However, we recommend using the latest container agent version. For information about checking your agent version and updating to the latest version, see [Updating the Amazon ECS Container Agent](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-agent-update.html) in the *Amazon Elastic Container Service Developer Guide* . If you're using an Amazon ECS-optimized Linux AMI, your instance needs at least version 1.26.0-1 of the `ecs-init` package. If your container instances are launched from version `20190301` or later, then they contain the required versions of the container agent and `ecs-init` . For more information, see [Amazon ECS-optimized Linux AMI](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html) in the *Amazon Elastic Container Service Developer Guide* .\n\nFor tasks using the Fargate launch type, the task or service requires the following platforms:\n\n- Linux platform version `1.3.0` or later.\n- Windows platform version `1.0.0` or later.\n\nIf the task definition is used in a blue/green deployment that uses [AWS::CodeDeploy::DeploymentGroup BlueGreenDeploymentConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-codedeploy-deploymentgroup-bluegreendeploymentconfiguration.html) , the `dependsOn` parameter is not supported. For more information see [Issue #680](https://docs.aws.amazon.com/https://github.com/aws-cloudformation/cloudformation-coverage-roadmap/issues/680) on the on the GitHub website.", + "markdownDescription": "The dependencies defined for container startup and shutdown. A container can contain multiple dependencies. When a dependency is defined for container startup, for container shutdown it is reversed.\n\nFor tasks using the EC2 launch type, the container instances require at least version 1.26.0 of the container agent to turn on container dependencies. However, we recommend using the latest container agent version. For information about checking your agent version and updating to the latest version, see [Updating the Amazon ECS Container Agent](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-agent-update.html) in the *Amazon Elastic Container Service Developer Guide* . If you're using an Amazon ECS-optimized Linux AMI, your instance needs at least version 1.26.0-1 of the `ecs-init` package. If your container instances are launched from version `20190301` or later, then they contain the required versions of the container agent and `ecs-init` . For more information, see [Amazon ECS-optimized Linux AMI](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html) in the *Amazon Elastic Container Service Developer Guide* .\n\nFor tasks using the Fargate launch type, the task or service requires the following platforms:\n\n- Linux platform version `1.3.0` or later.\n- Windows platform version `1.0.0` or later.\n\nIf the task definition is used in a blue/green deployment that uses [AWS::CodeDeploy::DeploymentGroup BlueGreenDeploymentConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-codedeploy-deploymentgroup-bluegreendeploymentconfiguration.html) , the `dependsOn` parameter is not supported.", "title": "DependsOn", "type": "array" }, @@ -84979,7 +84957,7 @@ }, "Options": { "additionalProperties": true, - "markdownDescription": "The configuration options to send to the log driver.\n\nThe options you can specify depend on the log driver. Some of the options you can specify when you use the `awslogs` log driver to route logs to Amazon CloudWatch include the following:\n\n- **awslogs-create-group** - Required: No\n\nSpecify whether you want the log group to be created automatically. If this option isn't specified, it defaults to `false` .\n\n> Your IAM policy must include the `logs:CreateLogGroup` permission before you attempt to use `awslogs-create-group` .\n- **awslogs-region** - Required: Yes\n\nSpecify the AWS Region that the `awslogs` log driver is to send your Docker logs to. You can choose to send all of your logs from clusters in different Regions to a single region in CloudWatch Logs. This is so that they're all visible in one location. Otherwise, you can separate them by Region for more granularity. Make sure that the specified log group exists in the Region that you specify with this option.\n- **awslogs-group** - Required: Yes\n\nMake sure to specify a log group that the `awslogs` log driver sends its log streams to.\n- **awslogs-stream-prefix** - Required: Yes, when using Fargate.Optional when using EC2.\n\nUse the `awslogs-stream-prefix` option to associate a log stream with the specified prefix, the container name, and the ID of the Amazon ECS task that the container belongs to. If you specify a prefix with this option, then the log stream takes the format `prefix-name/container-name/ecs-task-id` .\n\nIf you don't specify a prefix with this option, then the log stream is named after the container ID that's assigned by the Docker daemon on the container instance. Because it's difficult to trace logs back to the container that sent them with just the Docker container ID (which is only available on the container instance), we recommend that you specify a prefix with this option.\n\nFor Amazon ECS services, you can use the service name as the prefix. Doing so, you can trace log streams to the service that the container belongs to, the name of the container that sent them, and the ID of the task that the container belongs to.\n\nYou must specify a stream-prefix for your logs to have your logs appear in the Log pane when using the Amazon ECS console.\n- **awslogs-datetime-format** - Required: No\n\nThis option defines a multiline start pattern in Python `strftime` format. A log message consists of a line that matches the pattern and any following lines that don\u2019t match the pattern. The matched line is the delimiter between log messages.\n\nOne example of a use case for using this format is for parsing output such as a stack dump, which might otherwise be logged in multiple entries. The correct pattern allows it to be captured in a single entry.\n\nFor more information, see [awslogs-datetime-format](https://docs.aws.amazon.com/https://docs.docker.com/config/containers/logging/awslogs/#awslogs-datetime-format) .\n\nYou cannot configure both the `awslogs-datetime-format` and `awslogs-multiline-pattern` options.\n\n> Multiline logging performs regular expression parsing and matching of all log messages. This might have a negative impact on logging performance.\n- **awslogs-multiline-pattern** - Required: No\n\nThis option defines a multiline start pattern that uses a regular expression. A log message consists of a line that matches the pattern and any following lines that don\u2019t match the pattern. The matched line is the delimiter between log messages.\n\nFor more information, see [awslogs-multiline-pattern](https://docs.aws.amazon.com/https://docs.docker.com/config/containers/logging/awslogs/#awslogs-multiline-pattern) .\n\nThis option is ignored if `awslogs-datetime-format` is also configured.\n\nYou cannot configure both the `awslogs-datetime-format` and `awslogs-multiline-pattern` options.\n\n> Multiline logging performs regular expression parsing and matching of all log messages. This might have a negative impact on logging performance.\n\nThe following options apply to all supported log drivers.\n\n- **mode** - Required: No\n\nValid values: `non-blocking` | `blocking`\n\nThis option defines the delivery mode of log messages from the container to the log driver specified using `logDriver` . The delivery mode you choose affects application availability when the flow of logs from container is interrupted.\n\nIf you use the `blocking` mode and the flow of logs is interrupted, calls from container code to write to the `stdout` and `stderr` streams will block. The logging thread of the application will block as a result. This may cause the application to become unresponsive and lead to container healthcheck failure.\n\nIf you use the `non-blocking` mode, the container's logs are instead stored in an in-memory intermediate buffer configured with the `max-buffer-size` option. This prevents the application from becoming unresponsive when logs cannot be sent. We recommend using this mode if you want to ensure service availability and are okay with some log loss. For more information, see [Preventing log loss with non-blocking mode in the `awslogs` container log driver](https://docs.aws.amazon.com/containers/preventing-log-loss-with-non-blocking-mode-in-the-awslogs-container-log-driver/) .\n\nYou can set a default `mode` for all containers in a specific AWS Region by using the `defaultLogDriverMode` account setting. If you don't specify the `mode` option or configure the account setting, Amazon ECS will default to the `blocking` mode. For more information about the account setting, see [Default log driver mode](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-account-settings.html#default-log-driver-mode) in the *Amazon Elastic Container Service Developer Guide* .\n- **max-buffer-size** - Required: No\n\nDefault value: `1m`\n\nWhen `non-blocking` mode is used, the `max-buffer-size` log option controls the size of the buffer that's used for intermediate message storage. Make sure to specify an adequate buffer size based on your application. When the buffer fills up, further logs cannot be stored. Logs that cannot be stored are lost.\n\nTo route logs using the `splunk` log router, you need to specify a `splunk-token` and a `splunk-url` .\n\nWhen you use the `awsfirelens` log router to route logs to an AWS Service or AWS Partner Network destination for log storage and analytics, you can set the `log-driver-buffer-limit` option to limit the number of events that are buffered in memory, before being sent to the log router container. It can help to resolve potential log loss issue because high throughput might result in memory running out for the buffer inside of Docker.\n\nOther options you can specify when using `awsfirelens` to route logs depend on the destination. When you export logs to Amazon Data Firehose, you can specify the AWS Region with `region` and a name for the log stream with `delivery_stream` .\n\nWhen you export logs to Amazon Kinesis Data Streams, you can specify an AWS Region with `region` and a data stream name with `stream` .\n\nWhen you export logs to Amazon OpenSearch Service, you can specify options like `Name` , `Host` (OpenSearch Service endpoint without protocol), `Port` , `Index` , `Type` , `Aws_auth` , `Aws_region` , `Suppress_Type_Name` , and `tls` . For more information, see [Under the hood: FireLens for Amazon ECS Tasks](https://docs.aws.amazon.com/containers/under-the-hood-firelens-for-amazon-ecs-tasks/) .\n\nWhen you export logs to Amazon S3, you can specify the bucket using the `bucket` option. You can also specify `region` , `total_file_size` , `upload_timeout` , and `use_put_object` as options.\n\nThis parameter requires version 1.19 of the Docker Remote API or greater on your container instance. To check the Docker Remote API version on your container instance, log in to your container instance and run the following command: `sudo docker version --format '{{.Server.APIVersion}}'`", + "markdownDescription": "The configuration options to send to the log driver.\n\nThe options you can specify depend on the log driver. Some of the options you can specify when you use the `awslogs` log driver to route logs to Amazon CloudWatch include the following:\n\n- **awslogs-create-group** - Required: No\n\nSpecify whether you want the log group to be created automatically. If this option isn't specified, it defaults to `false` .\n\n> Your IAM policy must include the `logs:CreateLogGroup` permission before you attempt to use `awslogs-create-group` .\n- **awslogs-region** - Required: Yes\n\nSpecify the AWS Region that the `awslogs` log driver is to send your Docker logs to. You can choose to send all of your logs from clusters in different Regions to a single region in CloudWatch Logs. This is so that they're all visible in one location. Otherwise, you can separate them by Region for more granularity. Make sure that the specified log group exists in the Region that you specify with this option.\n- **awslogs-group** - Required: Yes\n\nMake sure to specify a log group that the `awslogs` log driver sends its log streams to.\n- **awslogs-stream-prefix** - Required: Yes, when using Fargate.Optional when using EC2.\n\nUse the `awslogs-stream-prefix` option to associate a log stream with the specified prefix, the container name, and the ID of the Amazon ECS task that the container belongs to. If you specify a prefix with this option, then the log stream takes the format `prefix-name/container-name/ecs-task-id` .\n\nIf you don't specify a prefix with this option, then the log stream is named after the container ID that's assigned by the Docker daemon on the container instance. Because it's difficult to trace logs back to the container that sent them with just the Docker container ID (which is only available on the container instance), we recommend that you specify a prefix with this option.\n\nFor Amazon ECS services, you can use the service name as the prefix. Doing so, you can trace log streams to the service that the container belongs to, the name of the container that sent them, and the ID of the task that the container belongs to.\n\nYou must specify a stream-prefix for your logs to have your logs appear in the Log pane when using the Amazon ECS console.\n- **awslogs-datetime-format** - Required: No\n\nThis option defines a multiline start pattern in Python `strftime` format. A log message consists of a line that matches the pattern and any following lines that don\u2019t match the pattern. The matched line is the delimiter between log messages.\n\nOne example of a use case for using this format is for parsing output such as a stack dump, which might otherwise be logged in multiple entries. The correct pattern allows it to be captured in a single entry.\n\nFor more information, see [awslogs-datetime-format](https://docs.aws.amazon.com/https://docs.docker.com/config/containers/logging/awslogs/#awslogs-datetime-format) .\n\nYou cannot configure both the `awslogs-datetime-format` and `awslogs-multiline-pattern` options.\n\n> Multiline logging performs regular expression parsing and matching of all log messages. This might have a negative impact on logging performance.\n- **awslogs-multiline-pattern** - Required: No\n\nThis option defines a multiline start pattern that uses a regular expression. A log message consists of a line that matches the pattern and any following lines that don\u2019t match the pattern. The matched line is the delimiter between log messages.\n\nFor more information, see [awslogs-multiline-pattern](https://docs.aws.amazon.com/https://docs.docker.com/config/containers/logging/awslogs/#awslogs-multiline-pattern) .\n\nThis option is ignored if `awslogs-datetime-format` is also configured.\n\nYou cannot configure both the `awslogs-datetime-format` and `awslogs-multiline-pattern` options.\n\n> Multiline logging performs regular expression parsing and matching of all log messages. This might have a negative impact on logging performance.\n\nThe following options apply to all supported log drivers.\n\n- **mode** - Required: No\n\nValid values: `non-blocking` | `blocking`\n\nThis option defines the delivery mode of log messages from the container to the log driver specified using `logDriver` . The delivery mode you choose affects application availability when the flow of logs from container is interrupted.\n\nIf you use the `blocking` mode and the flow of logs is interrupted, calls from container code to write to the `stdout` and `stderr` streams will block. The logging thread of the application will block as a result. This may cause the application to become unresponsive and lead to container healthcheck failure.\n\nIf you use the `non-blocking` mode, the container's logs are instead stored in an in-memory intermediate buffer configured with the `max-buffer-size` option. This prevents the application from becoming unresponsive when logs cannot be sent. We recommend using this mode if you want to ensure service availability and are okay with some log loss. For more information, see [Preventing log loss with non-blocking mode in the `awslogs` container log driver](https://docs.aws.amazon.com/containers/preventing-log-loss-with-non-blocking-mode-in-the-awslogs-container-log-driver/) .\n\nYou can set a default `mode` for all containers in a specific AWS Region by using the `defaultLogDriverMode` account setting. If you don't specify the `mode` option or configure the account setting, Amazon ECS will default to the `blocking` mode. For more information about the account setting, see [Default log driver mode](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-account-settings.html#default-log-driver-mode) in the *Amazon Elastic Container Service Developer Guide* .\n\n> On June 25, 2025, Amazon ECS is changing the default log driver mode from `blocking` to `non-blocking` to prioritize task availability over logging. To continue using the `blocking` mode after this change, do one of the following:\n> \n> - Set the `mode` option in your container definition's `logConfiguration` as `blocking` .\n> - Set the `defaultLogDriverMode` account setting to `blocking` .\n- **max-buffer-size** - Required: No\n\nDefault value: `1m`\n\nWhen `non-blocking` mode is used, the `max-buffer-size` log option controls the size of the buffer that's used for intermediate message storage. Make sure to specify an adequate buffer size based on your application. When the buffer fills up, further logs cannot be stored. Logs that cannot be stored are lost.\n\nTo route logs using the `splunk` log router, you need to specify a `splunk-token` and a `splunk-url` .\n\nWhen you use the `awsfirelens` log router to route logs to an AWS Service or AWS Partner Network destination for log storage and analytics, you can set the `log-driver-buffer-limit` option to limit the number of events that are buffered in memory, before being sent to the log router container. It can help to resolve potential log loss issue because high throughput might result in memory running out for the buffer inside of Docker.\n\nOther options you can specify when using `awsfirelens` to route logs depend on the destination. When you export logs to Amazon Data Firehose, you can specify the AWS Region with `region` and a name for the log stream with `delivery_stream` .\n\nWhen you export logs to Amazon Kinesis Data Streams, you can specify an AWS Region with `region` and a data stream name with `stream` .\n\nWhen you export logs to Amazon OpenSearch Service, you can specify options like `Name` , `Host` (OpenSearch Service endpoint without protocol), `Port` , `Index` , `Type` , `Aws_auth` , `Aws_region` , `Suppress_Type_Name` , and `tls` . For more information, see [Under the hood: FireLens for Amazon ECS Tasks](https://docs.aws.amazon.com/containers/under-the-hood-firelens-for-amazon-ecs-tasks/) .\n\nWhen you export logs to Amazon S3, you can specify the bucket using the `bucket` option. You can also specify `region` , `total_file_size` , `upload_timeout` , and `use_put_object` as options.\n\nThis parameter requires version 1.19 of the Docker Remote API or greater on your container instance. To check the Docker Remote API version on your container instance, log in to your container instance and run the following command: `sudo docker version --format '{{.Server.APIVersion}}'`", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" @@ -85162,7 +85140,7 @@ "type": "string" }, "Value": { - "markdownDescription": "The namespaced kernel parameter to set a `value` for.\n\nValid IPC namespace values: `\"kernel.msgmax\" | \"kernel.msgmnb\" | \"kernel.msgmni\" | \"kernel.sem\" | \"kernel.shmall\" | \"kernel.shmmax\" | \"kernel.shmmni\" | \"kernel.shm_rmid_forced\"` , and `Sysctls` that start with `\"fs.mqueue.*\"`\n\nValid network namespace values: `Sysctls` that start with `\"net.*\"`\n\nAll of these values are supported by Fargate.", + "markdownDescription": "The namespaced kernel parameter to set a `value` for.\n\nValid IPC namespace values: `\"kernel.msgmax\" | \"kernel.msgmnb\" | \"kernel.msgmni\" | \"kernel.sem\" | \"kernel.shmall\" | \"kernel.shmmax\" | \"kernel.shmmni\" | \"kernel.shm_rmid_forced\"` , and `Sysctls` that start with `\"fs.mqueue.*\"`\n\nValid network namespace values: `Sysctls` that start with `\"net.*\"` . Only namespaced `Sysctls` that exist within the container starting with \"net.* are accepted.\n\nAll of these values are supported by Fargate.", "title": "Value", "type": "string" } @@ -86543,12 +86521,12 @@ "additionalProperties": false, "properties": { "EndpointPrivateAccess": { - "markdownDescription": "Set this value to `true` to enable private access for your cluster's Kubernetes API server endpoint. If you enable private access, Kubernetes API requests from within your cluster's VPC use the private VPC endpoint. The default value for this parameter is `false` , which disables private access for your Kubernetes API server. If you disable private access and you have nodes or AWS Fargate pods in the cluster, then ensure that `publicAccessCidrs` includes the necessary CIDR blocks for communication with the nodes or Fargate pods. For more information, see [Amazon EKS cluster endpoint access control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) in the **Amazon EKS User Guide** .", + "markdownDescription": "Set this value to `true` to enable private access for your cluster's Kubernetes API server endpoint. If you enable private access, Kubernetes API requests from within your cluster's VPC use the private VPC endpoint. The default value for this parameter is `false` , which disables private access for your Kubernetes API server. If you disable private access and you have nodes or AWS Fargate pods in the cluster, then ensure that `publicAccessCidrs` includes the necessary CIDR blocks for communication with the nodes or Fargate pods. For more information, see [Cluster API server endpoint](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) in the **Amazon EKS User Guide** .", "title": "EndpointPrivateAccess", "type": "boolean" }, "EndpointPublicAccess": { - "markdownDescription": "Set this value to `false` to disable public access to your cluster's Kubernetes API server endpoint. If you disable public access, your cluster's Kubernetes API server can only receive requests from within the cluster VPC. The default value for this parameter is `true` , which enables public access for your Kubernetes API server. For more information, see [Amazon EKS cluster endpoint access control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) in the **Amazon EKS User Guide** .", + "markdownDescription": "Set this value to `false` to disable public access to your cluster's Kubernetes API server endpoint. If you disable public access, your cluster's Kubernetes API server can only receive requests from within the cluster VPC. The default value for this parameter is `true` , which enables public access for your Kubernetes API server. The endpoint domain name and IP address family depends on the value of the `ipFamily` for the cluster. For more information, see [Cluster API server endpoint](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) in the **Amazon EKS User Guide** .", "title": "EndpointPublicAccess", "type": "boolean" }, @@ -86556,7 +86534,7 @@ "items": { "type": "string" }, - "markdownDescription": "The CIDR blocks that are allowed access to your cluster's public Kubernetes API server endpoint. Communication to the endpoint from addresses outside of the CIDR blocks that you specify is denied. The default value is `0.0.0.0/0` . If you've disabled private endpoint access, make sure that you specify the necessary CIDR blocks for every node and AWS Fargate `Pod` in the cluster. For more information, see [Amazon EKS cluster endpoint access control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) in the **Amazon EKS User Guide** .", + "markdownDescription": "The CIDR blocks that are allowed access to your cluster's public Kubernetes API server endpoint. Communication to the endpoint from addresses outside of the CIDR blocks that you specify is denied. The default value is `0.0.0.0/0` and additionally `::/0` for dual-stack `IPv6` clusters. If you've disabled private endpoint access, make sure that you specify the necessary CIDR blocks for every node and AWS Fargate `Pod` in the cluster. For more information, see [Cluster API server endpoint](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) in the **Amazon EKS User Guide** .\n\nNote that the public endpoints are dual-stack for only `IPv6` clusters that are made after October 2024. You can't add `IPv6` CIDR blocks to `IPv4` clusters or `IPv6` clusters that were made before October 2024.", "title": "PublicAccessCidrs", "type": "array" }, @@ -90856,7 +90834,7 @@ "type": "string" }, "ClusterMode": { - "markdownDescription": "Enabled or Disabled. To modify cluster mode from Disabled to Enabled, you must first set the cluster mode to Compatible. Compatible mode allows your Valkey or Redis OSS clients to connect using both cluster mode enabled and cluster mode disabled. After you migrate all Valkey or Redis OSS clients to use cluster mode enabled, you can then complete cluster mode configuration and set the cluster mode to Enabled. For more information, see [Modify cluster mode](https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/modify-cluster-mode.html) .", + "markdownDescription": "The mode can be enabled or disabled. To change the cluster mode from disabled to enabled, you must first set the cluster mode to compatible. The compatible mode allows your Valkey or Redis OSS clients to connect using both cluster mode enabled and cluster mode disabled. After you migrate all Valkey or Redis OSS clients to use cluster mode enabled, you can then complete cluster mode configuration and set the cluster mode to enabled. For more information, see [Modify cluster mode](https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/modify-cluster-mode.html) .", "title": "ClusterMode", "type": "string" }, @@ -92908,7 +92886,7 @@ "type": "string" }, "SslPolicy": { - "markdownDescription": "[HTTPS and TLS listeners] The security policy that defines which protocols and ciphers are supported.\n\nUpdating the security policy can result in interruptions if the load balancer is handling a high volume of traffic.\n\nFor more information, see [Security policies](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html#describe-ssl-policies) in the *Application Load Balancers Guide* and [Security policies](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-tls-listener.html#describe-ssl-policies) in the *Network Load Balancers Guide* .", + "markdownDescription": "[HTTPS and TLS listeners] The security policy that defines which protocols and ciphers are supported. For more information, see [Security policies](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/describe-ssl-policies.html) in the *Application Load Balancers Guide* and [Security policies](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) in the *Network Load Balancers Guide* .\n\n[HTTPS listeners] Updating the security policy can result in interruptions if the load balancer is handling a high volume of traffic. To decrease the possibility of an interruption if your load balancer is handling a high volume of traffic, create an additional load balancer or request an LCU reservation.", "title": "SslPolicy", "type": "string" } @@ -93243,7 +93221,7 @@ "additionalProperties": false, "properties": { "DurationSeconds": { - "markdownDescription": "The time period, in seconds, during which requests from a client should be routed to the same target group. The range is 1-604800 seconds (7 days).", + "markdownDescription": "The time period, in seconds, during which requests from a client should be routed to the same target group. The range is 1-604800 seconds (7 days). You must specify this value when enabling target group stickiness.", "title": "DurationSeconds", "type": "number" }, @@ -93683,7 +93661,7 @@ "items": { "type": "string" }, - "markdownDescription": "The host names. The maximum size of each name is 128 characters. The comparison is case insensitive. The following wildcard characters are supported: * (matches 0 or more characters) and ? (matches exactly 1 character).\n\nIf you specify multiple strings, the condition is satisfied if one of the strings matches the host name.", + "markdownDescription": "The host names. The maximum size of each name is 128 characters. The comparison is case insensitive. The following wildcard characters are supported: * (matches 0 or more characters) and ? (matches exactly 1 character). You must include at least one \".\" character. You can include only alphabetical characters after the final \".\" character.\n\nIf you specify multiple strings, the condition is satisfied if one of the strings matches the host name.", "title": "Values", "type": "array" } @@ -93873,7 +93851,7 @@ "additionalProperties": false, "properties": { "DurationSeconds": { - "markdownDescription": "The time period, in seconds, during which requests from a client should be routed to the same target group. The range is 1-604800 seconds (7 days).", + "markdownDescription": "The time period, in seconds, during which requests from a client should be routed to the same target group. The range is 1-604800 seconds (7 days). You must specify this value when enabling target group stickiness.", "title": "DurationSeconds", "type": "number" }, @@ -93937,7 +93915,7 @@ "additionalProperties": false, "properties": { "EnforceSecurityGroupInboundRulesOnPrivateLinkTraffic": { - "markdownDescription": "Indicates whether to evaluate inbound security group rules for traffic sent to a Network Load Balancer through AWS PrivateLink . The default is `on` .", + "markdownDescription": "Indicates whether to evaluate inbound security group rules for traffic sent to a Network Load Balancer through AWS PrivateLink . The default is `on` .\n\nYou can't configure this property on a Network Load Balancer unless you associated a security group with the load balancer when you created it.", "title": "EnforceSecurityGroupInboundRulesOnPrivateLinkTraffic", "type": "string" }, @@ -93950,7 +93928,7 @@ "items": { "$ref": "#/definitions/AWS::ElasticLoadBalancingV2::LoadBalancer.LoadBalancerAttribute" }, - "markdownDescription": "The load balancer attributes.", + "markdownDescription": "The load balancer attributes. Attributes that you do not modify retain their current values.", "title": "LoadBalancerAttributes", "type": "array" }, @@ -94181,7 +94159,7 @@ "items": { "$ref": "#/definitions/AWS::ElasticLoadBalancingV2::TargetGroup.TargetGroupAttribute" }, - "markdownDescription": "The target group attributes.", + "markdownDescription": "The target group attributes. Attributes that you do not modify retain their current values.", "title": "TargetGroupAttributes", "type": "array" }, @@ -94275,7 +94253,7 @@ "additionalProperties": false, "properties": { "Key": { - "markdownDescription": "The name of the attribute.\n\nThe following attributes are supported by all load balancers:\n\n- `deregistration_delay.timeout_seconds` - The amount of time, in seconds, for Elastic Load Balancing to wait before changing the state of a deregistering target from `draining` to `unused` . The range is 0-3600 seconds. The default value is 300 seconds. If the target is a Lambda function, this attribute is not supported.\n- `stickiness.enabled` - Indicates whether target stickiness is enabled. The value is `true` or `false` . The default is `false` .\n- `stickiness.type` - Indicates the type of stickiness. The possible values are:\n\n- `lb_cookie` and `app_cookie` for Application Load Balancers.\n- `source_ip` for Network Load Balancers.\n- `source_ip_dest_ip` and `source_ip_dest_ip_proto` for Gateway Load Balancers.\n\nThe following attributes are supported by Application Load Balancers and Network Load Balancers:\n\n- `load_balancing.cross_zone.enabled` - Indicates whether cross zone load balancing is enabled. The value is `true` , `false` or `use_load_balancer_configuration` . The default is `use_load_balancer_configuration` .\n- `target_group_health.dns_failover.minimum_healthy_targets.count` - The minimum number of targets that must be healthy. If the number of healthy targets is below this value, mark the zone as unhealthy in DNS, so that traffic is routed only to healthy zones. The possible values are `off` or an integer from 1 to the maximum number of targets. The default is `off` .\n- `target_group_health.dns_failover.minimum_healthy_targets.percentage` - The minimum percentage of targets that must be healthy. If the percentage of healthy targets is below this value, mark the zone as unhealthy in DNS, so that traffic is routed only to healthy zones. The possible values are `off` or an integer from 1 to 100. The default is `off` .\n- `target_group_health.unhealthy_state_routing.minimum_healthy_targets.count` - The minimum number of targets that must be healthy. If the number of healthy targets is below this value, send traffic to all targets, including unhealthy targets. The possible values are 1 to the maximum number of targets. The default is 1.\n- `target_group_health.unhealthy_state_routing.minimum_healthy_targets.percentage` - The minimum percentage of targets that must be healthy. If the percentage of healthy targets is below this value, send traffic to all targets, including unhealthy targets. The possible values are `off` or an integer from 1 to 100. The default is `off` .\n\nThe following attributes are supported only if the load balancer is an Application Load Balancer and the target is an instance or an IP address:\n\n- `load_balancing.algorithm.type` - The load balancing algorithm determines how the load balancer selects targets when routing requests. The value is `round_robin` , `least_outstanding_requests` , or `weighted_random` . The default is `round_robin` .\n- `load_balancing.algorithm.anomaly_mitigation` - Only available when `load_balancing.algorithm.type` is `weighted_random` . Indicates whether anomaly mitigation is enabled. The value is `on` or `off` . The default is `off` .\n- `slow_start.duration_seconds` - The time period, in seconds, during which a newly registered target receives an increasing share of the traffic to the target group. After this time period ends, the target receives its full share of traffic. The range is 30-900 seconds (15 minutes). The default is 0 seconds (disabled).\n- `stickiness.app_cookie.cookie_name` - Indicates the name of the application-based cookie. Names that start with the following prefixes are not allowed: `AWSALB` , `AWSALBAPP` , and `AWSALBTG` ; they're reserved for use by the load balancer.\n- `stickiness.app_cookie.duration_seconds` - The time period, in seconds, during which requests from a client should be routed to the same target. After this time period expires, the application-based cookie is considered stale. The range is 1 second to 1 week (604800 seconds). The default value is 1 day (86400 seconds).\n- `stickiness.lb_cookie.duration_seconds` - The time period, in seconds, during which requests from a client should be routed to the same target. After this time period expires, the load balancer-generated cookie is considered stale. The range is 1 second to 1 week (604800 seconds). The default value is 1 day (86400 seconds).\n\nThe following attribute is supported only if the load balancer is an Application Load Balancer and the target is a Lambda function:\n\n- `lambda.multi_value_headers.enabled` - Indicates whether the request and response headers that are exchanged between the load balancer and the Lambda function include arrays of values or strings. The value is `true` or `false` . The default is `false` . If the value is `false` and the request contains a duplicate header field name or query parameter key, the load balancer uses the last value sent by the client.\n\nThe following attributes are supported only by Network Load Balancers:\n\n- `deregistration_delay.connection_termination.enabled` - Indicates whether the load balancer terminates connections at the end of the deregistration timeout. The value is `true` or `false` . For new UDP/TCP_UDP target groups the default is `true` . Otherwise, the default is `false` .\n- `preserve_client_ip.enabled` - Indicates whether client IP preservation is enabled. The value is `true` or `false` . The default is disabled if the target group type is IP address and the target group protocol is TCP or TLS. Otherwise, the default is enabled. Client IP preservation can't be disabled for UDP and TCP_UDP target groups.\n- `proxy_protocol_v2.enabled` - Indicates whether Proxy Protocol version 2 is enabled. The value is `true` or `false` . The default is `false` .\n- `target_health_state.unhealthy.connection_termination.enabled` - Indicates whether the load balancer terminates connections to unhealthy targets. The value is `true` or `false` . The default is `true` . This attribute can't be enabled for UDP and TCP_UDP target groups.\n- `target_health_state.unhealthy.draining_interval_seconds` - The amount of time for Elastic Load Balancing to wait before changing the state of an unhealthy target from `unhealthy.draining` to `unhealthy` . The range is 0-360000 seconds. The default value is 0 seconds.\n\nNote: This attribute can only be configured when `target_health_state.unhealthy.connection_termination.enabled` is `false` .\n\nThe following attributes are supported only by Gateway Load Balancers:\n\n- `target_failover.on_deregistration` - Indicates how the Gateway Load Balancer handles existing flows when a target is deregistered. The possible values are `rebalance` and `no_rebalance` . The default is `no_rebalance` . The two attributes ( `target_failover.on_deregistration` and `target_failover.on_unhealthy` ) can't be set independently. The value you set for both attributes must be the same.\n- `target_failover.on_unhealthy` - Indicates how the Gateway Load Balancer handles existing flows when a target is unhealthy. The possible values are `rebalance` and `no_rebalance` . The default is `no_rebalance` . The two attributes ( `target_failover.on_deregistration` and `target_failover.on_unhealthy` ) can't be set independently. The value you set for both attributes must be the same.", + "markdownDescription": "The name of the attribute.\n\nThe following attributes are supported by all load balancers:\n\n- `deregistration_delay.timeout_seconds` - The amount of time, in seconds, for Elastic Load Balancing to wait before changing the state of a deregistering target from `draining` to `unused` . The range is 0-3600 seconds. The default value is 300 seconds. If the target is a Lambda function, this attribute is not supported.\n- `stickiness.enabled` - Indicates whether target stickiness is enabled. The value is `true` or `false` . The default is `false` .\n- `stickiness.type` - Indicates the type of stickiness. The possible values are:\n\n- `lb_cookie` and `app_cookie` for Application Load Balancers.\n- `source_ip` for Network Load Balancers.\n- `source_ip_dest_ip` and `source_ip_dest_ip_proto` for Gateway Load Balancers.\n\nThe following attributes are supported by Application Load Balancers and Network Load Balancers:\n\n- `load_balancing.cross_zone.enabled` - Indicates whether cross zone load balancing is enabled. The value is `true` , `false` or `use_load_balancer_configuration` . The default is `use_load_balancer_configuration` .\n- `target_group_health.dns_failover.minimum_healthy_targets.count` - The minimum number of targets that must be healthy. If the number of healthy targets is below this value, mark the zone as unhealthy in DNS, so that traffic is routed only to healthy zones. The possible values are `off` or an integer from 1 to the maximum number of targets. The default is 1.\n- `target_group_health.dns_failover.minimum_healthy_targets.percentage` - The minimum percentage of targets that must be healthy. If the percentage of healthy targets is below this value, mark the zone as unhealthy in DNS, so that traffic is routed only to healthy zones. The possible values are `off` or an integer from 1 to 100. The default is `off` .\n- `target_group_health.unhealthy_state_routing.minimum_healthy_targets.count` - The minimum number of targets that must be healthy. If the number of healthy targets is below this value, send traffic to all targets, including unhealthy targets. The possible values are 1 to the maximum number of targets. The default is 1.\n- `target_group_health.unhealthy_state_routing.minimum_healthy_targets.percentage` - The minimum percentage of targets that must be healthy. If the percentage of healthy targets is below this value, send traffic to all targets, including unhealthy targets. The possible values are `off` or an integer from 1 to 100. The default is `off` .\n\nThe following attributes are supported only if the load balancer is an Application Load Balancer and the target is an instance or an IP address:\n\n- `load_balancing.algorithm.type` - The load balancing algorithm determines how the load balancer selects targets when routing requests. The value is `round_robin` , `least_outstanding_requests` , or `weighted_random` . The default is `round_robin` .\n- `load_balancing.algorithm.anomaly_mitigation` - Only available when `load_balancing.algorithm.type` is `weighted_random` . Indicates whether anomaly mitigation is enabled. The value is `on` or `off` . The default is `off` .\n- `slow_start.duration_seconds` - The time period, in seconds, during which a newly registered target receives an increasing share of the traffic to the target group. After this time period ends, the target receives its full share of traffic. The range is 30-900 seconds (15 minutes). The default is 0 seconds (disabled).\n- `stickiness.app_cookie.cookie_name` - Indicates the name of the application-based cookie. Names that start with the following prefixes are not allowed: `AWSALB` , `AWSALBAPP` , and `AWSALBTG` ; they're reserved for use by the load balancer.\n- `stickiness.app_cookie.duration_seconds` - The time period, in seconds, during which requests from a client should be routed to the same target. After this time period expires, the application-based cookie is considered stale. The range is 1 second to 1 week (604800 seconds). The default value is 1 day (86400 seconds).\n- `stickiness.lb_cookie.duration_seconds` - The time period, in seconds, during which requests from a client should be routed to the same target. After this time period expires, the load balancer-generated cookie is considered stale. The range is 1 second to 1 week (604800 seconds). The default value is 1 day (86400 seconds).\n\nThe following attribute is supported only if the load balancer is an Application Load Balancer and the target is a Lambda function:\n\n- `lambda.multi_value_headers.enabled` - Indicates whether the request and response headers that are exchanged between the load balancer and the Lambda function include arrays of values or strings. The value is `true` or `false` . The default is `false` . If the value is `false` and the request contains a duplicate header field name or query parameter key, the load balancer uses the last value sent by the client.\n\nThe following attributes are supported only by Network Load Balancers:\n\n- `deregistration_delay.connection_termination.enabled` - Indicates whether the load balancer terminates connections at the end of the deregistration timeout. The value is `true` or `false` . For new UDP/TCP_UDP target groups the default is `true` . Otherwise, the default is `false` .\n- `preserve_client_ip.enabled` - Indicates whether client IP preservation is enabled. The value is `true` or `false` . The default is disabled if the target group type is IP address and the target group protocol is TCP or TLS. Otherwise, the default is enabled. Client IP preservation can't be disabled for UDP and TCP_UDP target groups.\n- `proxy_protocol_v2.enabled` - Indicates whether Proxy Protocol version 2 is enabled. The value is `true` or `false` . The default is `false` .\n- `target_health_state.unhealthy.connection_termination.enabled` - Indicates whether the load balancer terminates connections to unhealthy targets. The value is `true` or `false` . The default is `true` . This attribute can't be enabled for UDP and TCP_UDP target groups.\n- `target_health_state.unhealthy.draining_interval_seconds` - The amount of time for Elastic Load Balancing to wait before changing the state of an unhealthy target from `unhealthy.draining` to `unhealthy` . The range is 0-360000 seconds. The default value is 0 seconds.\n\nNote: This attribute can only be configured when `target_health_state.unhealthy.connection_termination.enabled` is `false` .\n\nThe following attributes are supported only by Gateway Load Balancers:\n\n- `target_failover.on_deregistration` - Indicates how the Gateway Load Balancer handles existing flows when a target is deregistered. The possible values are `rebalance` and `no_rebalance` . The default is `no_rebalance` . The two attributes ( `target_failover.on_deregistration` and `target_failover.on_unhealthy` ) can't be set independently. The value you set for both attributes must be the same.\n- `target_failover.on_unhealthy` - Indicates how the Gateway Load Balancer handles existing flows when a target is unhealthy. The possible values are `rebalance` and `no_rebalance` . The default is `no_rebalance` . The two attributes ( `target_failover.on_deregistration` and `target_failover.on_unhealthy` ) can't be set independently. The value you set for both attributes must be the same.", "title": "Key", "type": "string" }, @@ -95825,7 +95803,7 @@ "type": "string" }, "Type": { - "markdownDescription": "The type of the attribute, selected from a list of values.\n\n> Normalization is only supported for `NAME` , `ADDRESS` , `PHONE` , and `EMAIL_ADDRESS` .\n> \n> If you want to normalize `NAME_FIRST` , `NAME_MIDDLE` , and `NAME_LAST` , you must group them by assigning them to the `NAME` `groupName` .\n> \n> If you want to normalize `ADDRESS_STREET1` , `ADDRESS_STREET2` , `ADDRESS_STREET3` , `ADDRESS_CITY` , `ADDRESS_STATE` , `ADDRESS_COUNTRY` , and `ADDRESS_POSTALCODE` , you must group them by assigning them to the `ADDRESS` `groupName` .\n> \n> If you want to normalize `PHONE_NUMBER` and `PHONE_COUNTRYCODE` , you must group them by assigning them to the `PHONE` `groupName` .", + "markdownDescription": "The type of the attribute, selected from a list of values.\n\nLiveRamp supports: `NAME` | `NAME_FIRST` | `NAME_MIDDLE` | `NAME_LAST` | `ADDRESS` | `ADDRESS_STREET1` | `ADDRESS_STREET2` | `ADDRESS_STREET3` | `ADDRESS_CITY` | `ADDRESS_STATE` | `ADDRESS_COUNTRY` | `ADDRESS_POSTALCODE` | `PHONE` | `PHONE_NUMBER` | `EMAIL_ADDRESS` | `UNIQUE_ID` | `PROVIDER_ID`\n\nTransUnion supports: `NAME` | `NAME_FIRST` | `NAME_LAST` | `ADDRESS` | `ADDRESS_CITY` | `ADDRESS_STATE` | `ADDRESS_COUNTRY` | `ADDRESS_POSTALCODE` | `PHONE_NUMBER` | `EMAIL_ADDRESS` | `UNIQUE_ID` | `IPV4` | `IPV6` | `MAID`\n\nUnified ID 2.0 supports: `PHONE_NUMBER` | `EMAIL_ADDRESS` | `UNIQUE_ID`\n\n> Normalization is only supported for `NAME` , `ADDRESS` , `PHONE` , and `EMAIL_ADDRESS` .\n> \n> If you want to normalize `NAME_FIRST` , `NAME_MIDDLE` , and `NAME_LAST` , you must group them by assigning them to the `NAME` `groupName` .\n> \n> If you want to normalize `ADDRESS_STREET1` , `ADDRESS_STREET2` , `ADDRESS_STREET3` , `ADDRESS_CITY` , `ADDRESS_STATE` , `ADDRESS_COUNTRY` , and `ADDRESS_POSTALCODE` , you must group them by assigning them to the `ADDRESS` `groupName` .\n> \n> If you want to normalize `PHONE_NUMBER` and `PHONE_COUNTRYCODE` , you must group them by assigning them to the `PHONE` `groupName` .", "title": "Type", "type": "string" } @@ -99811,7 +99789,7 @@ "type": "number" }, "StorageType": { - "markdownDescription": "Sets the storage class for the file system that you're creating. Valid values are `SSD` , `HDD` , and `INTELLIGENT_TIERING` .\n\n- Set to `SSD` to use solid state drive storage. SSD is supported on all Windows, Lustre, ONTAP, and OpenZFS deployment types.\n- Set to `HDD` to use hard disk drive storage, which is supported on `SINGLE_AZ_2` and `MULTI_AZ_1` Windows file system deployment types, and on `PERSISTENT_1` Lustre file system deployment types.\n- Set to `INTELLIGENT_TIERING` to use fully elastic, intelligently-tiered storage. Intelligent-Tiering is only available for OpenZFS file systems with the Multi-AZ deployment type.\n\nDefault value is `SSD` . For more information, see [Storage type options](https://docs.aws.amazon.com/fsx/latest/WindowsGuide/optimize-fsx-costs.html#storage-type-options) in the *FSx for Windows File Server User Guide* , [Multiple storage options](https://docs.aws.amazon.com/fsx/latest/LustreGuide/what-is.html#storage-options) in the *FSx for Lustre User Guide* , and [Working with Intelligent-Tiering](https://docs.aws.amazon.com/fsx/latest/OpenZFSGuide/performance-intelligent-tiering) in the *Amazon FSx for OpenZFS User Guide* .", + "markdownDescription": "Sets the storage class for the file system that you're creating. Valid values are `SSD` , `HDD` , and `INTELLIGENT_TIERING` .\n\n- Set to `SSD` to use solid state drive storage. SSD is supported on all Windows, Lustre, ONTAP, and OpenZFS deployment types.\n- Set to `HDD` to use hard disk drive storage, which is supported on `SINGLE_AZ_2` and `MULTI_AZ_1` Windows file system deployment types, and on `PERSISTENT_1` Lustre file system deployment types.\n- Set to `INTELLIGENT_TIERING` to use fully elastic, intelligently-tiered storage. Intelligent-Tiering is only available for OpenZFS file systems with the Multi-AZ deployment type and for Lustre file systems with the Persistent_2 deployment type.\n\nDefault value is `SSD` . For more information, see [Storage type options](https://docs.aws.amazon.com/fsx/latest/WindowsGuide/optimize-fsx-costs.html#storage-type-options) in the *FSx for Windows File Server User Guide* , [FSx for Lustre storage classes](https://docs.aws.amazon.com/fsx/latest/LustreGuide/using-fsx-lustre.html#lustre-storage-classes) in the *FSx for Lustre User Guide* , and [Working with Intelligent-Tiering](https://docs.aws.amazon.com/fsx/latest/OpenZFSGuide/performance-intelligent-tiering) in the *Amazon FSx for OpenZFS User Guide* .", "title": "StorageType", "type": "string" }, @@ -99953,7 +99931,7 @@ "type": "string" }, "DeploymentType": { - "markdownDescription": "(Optional) Choose `SCRATCH_1` and `SCRATCH_2` deployment types when you need temporary storage and shorter-term processing of data. The `SCRATCH_2` deployment type provides in-transit encryption of data and higher burst throughput capacity than `SCRATCH_1` .\n\nChoose `PERSISTENT_1` for longer-term storage and for throughput-focused workloads that aren\u2019t latency-sensitive. `PERSISTENT_1` supports encryption of data in transit, and is available in all AWS Regions in which FSx for Lustre is available.\n\nChoose `PERSISTENT_2` for longer-term storage and for latency-sensitive workloads that require the highest levels of IOPS/throughput. `PERSISTENT_2` supports SSD storage, and offers higher `PerUnitStorageThroughput` (up to 1000 MB/s/TiB). You can optionally specify a metadata configuration mode for `PERSISTENT_2` which supports increasing metadata performance. `PERSISTENT_2` is available in a limited number of AWS Regions . For more information, and an up-to-date list of AWS Regions in which `PERSISTENT_2` is available, see [File system deployment options for FSx for Lustre](https://docs.aws.amazon.com/fsx/latest/LustreGuide/using-fsx-lustre.html#lustre-deployment-types) in the *Amazon FSx for Lustre User Guide* .\n\n> If you choose `PERSISTENT_2` , and you set `FileSystemTypeVersion` to `2.10` , the `CreateFileSystem` operation fails. \n\nEncryption of data in transit is automatically turned on when you access `SCRATCH_2` , `PERSISTENT_1` , and `PERSISTENT_2` file systems from Amazon EC2 instances that support automatic encryption in the AWS Regions where they are available. For more information about encryption in transit for FSx for Lustre file systems, see [Encrypting data in transit](https://docs.aws.amazon.com/fsx/latest/LustreGuide/encryption-in-transit-fsxl.html) in the *Amazon FSx for Lustre User Guide* .\n\n(Default = `SCRATCH_1` )", + "markdownDescription": "(Optional) Choose `SCRATCH_1` and `SCRATCH_2` deployment types when you need temporary storage and shorter-term processing of data. The `SCRATCH_2` deployment type provides in-transit encryption of data and higher burst throughput capacity than `SCRATCH_1` .\n\nChoose `PERSISTENT_1` for longer-term storage and for throughput-focused workloads that aren\u2019t latency-sensitive. `PERSISTENT_1` supports encryption of data in transit, and is available in all AWS Regions in which FSx for Lustre is available.\n\nChoose `PERSISTENT_2` for longer-term storage and for latency-sensitive workloads that require the highest levels of IOPS/throughput. `PERSISTENT_2` supports the SSD and Intelligent-Tiering storage classes. You can optionally specify a metadata configuration mode for `PERSISTENT_2` which supports increasing metadata performance. `PERSISTENT_2` is available in a limited number of AWS Regions . For more information, and an up-to-date list of AWS Regions in which `PERSISTENT_2` is available, see [Deployment and storage class options for FSx for Lustre file systems](https://docs.aws.amazon.com/fsx/latest/LustreGuide/using-fsx-lustre.html) in the *Amazon FSx for Lustre User Guide* .\n\n> If you choose `PERSISTENT_2` , and you set `FileSystemTypeVersion` to `2.10` , the `CreateFileSystem` operation fails. \n\nEncryption of data in transit is automatically turned on when you access `SCRATCH_2` , `PERSISTENT_1` , and `PERSISTENT_2` file systems from Amazon EC2 instances that support automatic encryption in the AWS Regions where they are available. For more information about encryption in transit for FSx for Lustre file systems, see [Encrypting data in transit](https://docs.aws.amazon.com/fsx/latest/LustreGuide/encryption-in-transit-fsxl.html) in the *Amazon FSx for Lustre User Guide* .\n\n(Default = `SCRATCH_1` )", "title": "DeploymentType", "type": "string" }, @@ -100141,7 +100119,7 @@ "type": "array" }, "ThroughputCapacity": { - "markdownDescription": "Specifies the throughput of an Amazon FSx for OpenZFS file system, measured in megabytes per second (MBps). Valid values depend on the `DeploymentType` and `StorageType` that you choose, as follows:\n\n- For `INTELIGENT_TIERING` , valid values are 1280, 2560, 3840, 5120, 7680, or 10240 MBps.\n- For `MULTI_AZ_1` and `SINGLE_AZ_2` , valid values are 160, 320, 640, 1280, 2560, 3840, 5120, 7680, or 10240 MBps.\n- For `SINGLE_AZ_1` , valid values are 64, 128, 256, 512, 1024, 2048, 3072, or 4096 MBps.\n\nYou pay for additional throughput capacity that you provision.", + "markdownDescription": "Specifies the throughput of an Amazon FSx for OpenZFS file system, measured in megabytes per second (MBps). Valid values depend on the `DeploymentType` that you choose, as follows:\n\n- For `MULTI_AZ_1` and `SINGLE_AZ_2` , valid values are 160, 320, 640, 1280, 2560, 3840, 5120, 7680, or 10240 MBps.\n- For `SINGLE_AZ_1` , valid values are 64, 128, 256, 512, 1024, 2048, 3072, or 4096 MBps.\n\nYou pay for additional throughput capacity that you provision.", "title": "ThroughputCapacity", "type": "number" }, @@ -103189,8 +103167,6 @@ "type": "string" }, "DesiredEC2Instances": { - "markdownDescription": "The number of EC2 instances that you want this fleet to host. When creating a new fleet, GameLift automatically sets this value to \"1\" and initiates a single instance. Once the fleet is active, update this value to trigger GameLift to add or remove instances from the fleet.", - "title": "DesiredEC2Instances", "type": "number" }, "EC2InboundPermissions": { @@ -103230,8 +103206,6 @@ "type": "array" }, "MaxSize": { - "markdownDescription": "The maximum number of instances that are allowed in the specified fleet location. If this parameter is not set, the default is 1.", - "title": "MaxSize", "type": "number" }, "MetricGroups": { @@ -103243,8 +103217,6 @@ "type": "array" }, "MinSize": { - "markdownDescription": "The minimum number of instances that are allowed in the specified fleet location. If this parameter is not set, the default is 0.", - "title": "MinSize", "type": "number" }, "Name": { @@ -108180,7 +108152,7 @@ "title": "TableOptimizerConfiguration" }, "Type": { - "markdownDescription": "The type of table optimizer. Currently, the only valid value is compaction.", + "markdownDescription": "The type of table optimizer. The valid values are:\n\n- compaction - for managing compaction with a table optimizer.\n- retention - for managing the retention of snapshot with a table optimizer.\n- orphan_file_deletion - for managing the deletion of orphan files with a table optimizer.", "title": "Type", "type": "string" } @@ -116860,7 +116832,7 @@ "type": "string" }, "ParentImage": { - "markdownDescription": "The base image for the container recipe.", + "markdownDescription": "The base image for customizations specified in the container recipe. This can contain an Image Builder image resource ARN or a container image URI, for example `amazonlinux:latest` .", "title": "ParentImage", "type": "string" }, @@ -117053,7 +117025,7 @@ "type": "array" }, "Image": { - "markdownDescription": "The AMI ID to use as the base image for a container build and test instance. If not specified, Image Builder will use the appropriate ECS-optimized AMI as a base image.", + "markdownDescription": "The base image for a container build and test instance. This can contain an AMI ID or it can specify an AWS Systems Manager (SSM) Parameter Store Parameter, prefixed by `ssm:` , followed by the parameter name or ARN.\n\nIf not specified, Image Builder uses the appropriate ECS-optimized AMI as a base image.", "title": "Image", "type": "string" } @@ -117952,7 +117924,7 @@ "items": { "$ref": "#/definitions/AWS::ImageBuilder::ImageRecipe.ComponentConfiguration" }, - "markdownDescription": "The components of the image recipe. Components are orchestration documents that define a sequence of steps for downloading, installing, configuring, and testing software packages. They also define validation and security hardening steps. A component is defined using a YAML document format.", + "markdownDescription": "The components that are included in the image recipe. Recipes require a minimum of one build component, and can have a maximum of 20 build and test components in any combination.", "title": "Components", "type": "array" }, @@ -117967,7 +117939,7 @@ "type": "string" }, "ParentImage": { - "markdownDescription": "The parent image of the image recipe. The string must be either an Image ARN or an AMI ID.", + "markdownDescription": "The base image for customizations specified in the image recipe. You can specify the parent image using one of the following options:\n\n- AMI ID\n- Image Builder image Amazon Resource Name (ARN)\n- AWS Systems Manager (SSM) Parameter Store Parameter, prefixed by `ssm:` , followed by the parameter name or ARN.\n- AWS Marketplace product ID", "title": "ParentImage", "type": "string" }, @@ -117983,7 +117955,7 @@ "type": "object" }, "Version": { - "markdownDescription": "The semantic version of the image recipe.", + "markdownDescription": "The version of the image recipe.", "title": "Version", "type": "string" }, @@ -119969,13 +119941,9 @@ "additionalProperties": false, "properties": { "DeviceId": { - "markdownDescription": "The ID of the device, such as `G030PX0312744DWM` .", - "title": "DeviceId", "type": "string" }, "Enabled": { - "markdownDescription": "A Boolean value indicating whether the device is enabled ( `true` ) or not ( `false` ).", - "title": "Enabled", "type": "boolean" } }, @@ -120042,23 +120010,15 @@ "additionalProperties": false, "properties": { "AssociatedDevices": { - "markdownDescription": "The devices to associate with the placement, as defined by a mapping of zero or more key-value pairs wherein the key is a template name and the value is a device ID.", - "title": "AssociatedDevices", "type": "object" }, "Attributes": { - "markdownDescription": "The user-defined attributes associated with the placement.", - "title": "Attributes", "type": "object" }, "PlacementName": { - "markdownDescription": "The name of the placement.", - "title": "PlacementName", "type": "string" }, "ProjectName": { - "markdownDescription": "The name of the project containing the placement.", - "title": "ProjectName", "type": "string" } }, @@ -120124,18 +120084,12 @@ "additionalProperties": false, "properties": { "Description": { - "markdownDescription": "The description of the project.", - "title": "Description", "type": "string" }, "PlacementTemplate": { - "$ref": "#/definitions/AWS::IoT1Click::Project.PlacementTemplate", - "markdownDescription": "An object describing the project's placement specifications.", - "title": "PlacementTemplate" + "$ref": "#/definitions/AWS::IoT1Click::Project.PlacementTemplate" }, "ProjectName": { - "markdownDescription": "The name of the project from which to obtain information.", - "title": "ProjectName", "type": "string" } }, @@ -120181,13 +120135,9 @@ "additionalProperties": false, "properties": { "DefaultAttributes": { - "markdownDescription": "The default attributes (key-value pairs) to be applied to all placements using this template.", - "title": "DefaultAttributes", "type": "object" }, "DeviceTemplates": { - "markdownDescription": "An object specifying the [DeviceTemplate](https://docs.aws.amazon.com/iot-1-click/latest/projects-apireference/API_DeviceTemplate.html) for all placements using this ( [PlacementTemplate](https://docs.aws.amazon.com/iot-1-click/latest/projects-apireference/API_PlacementTemplate.html) ) template.", - "title": "DeviceTemplates", "type": "object" } }, @@ -137700,7 +137650,7 @@ }, "ApplicationMaintenanceConfiguration": { "$ref": "#/definitions/AWS::KinesisAnalyticsV2::Application.ApplicationMaintenanceConfiguration", - "markdownDescription": "", + "markdownDescription": "Specifies the maintenance window parameters for a Kinesis Data Analytics application.", "title": "ApplicationMaintenanceConfiguration" }, "ApplicationMode": { @@ -137832,7 +137782,7 @@ "additionalProperties": false, "properties": { "ApplicationMaintenanceWindowStartTime": { - "markdownDescription": "Specifies the start time of the maintence window.", + "markdownDescription": "", "title": "ApplicationMaintenanceWindowStartTime", "type": "string" } @@ -142619,10 +142569,74 @@ "markdownDescription": "The identifier for the Kafka consumer group to join. The consumer group ID must be unique among all your Kafka event sources. After creating a Kafka event source mapping with the consumer group ID specified, you cannot update this value. For more information, see [Customizable consumer group ID](https://docs.aws.amazon.com/lambda/latest/dg/with-msk.html#services-msk-consumer-group-id) .", "title": "ConsumerGroupId", "type": "string" + }, + "SchemaRegistryConfig": { + "$ref": "#/definitions/AWS::Lambda::EventSourceMapping.SchemaRegistryConfig", + "markdownDescription": "Specific configuration settings for a Kafka schema registry.", + "title": "SchemaRegistryConfig" } }, "type": "object" }, + "AWS::Lambda::EventSourceMapping.SchemaRegistryConfig": { + "additionalProperties": false, + "type": "object", + "properties": { + "SchemaRegistryURI" : { + "markdownDescription": "The URI for your schema registry. The correct URI format depends on the type of schema registry you're using.", + "title": "SchemaRegistryURI", + "type": "string" + }, + "EventRecordFormat": { + "markdownDescription": "The record format that Lambda delivers to your function after schema validation.", + "title": "EventRecordFormat", + "type": "string" + }, + "AccessConfigs": { + "items": { + "$ref": "#/definitions/AWS::Lambda::EventSourceMapping.SchemaRegistryAccessConfig" + }, + "markdownDescription": "An array of access configuration objects that tell Lambda how to authenticate with your schema registry.", + "title": "AccessConfigs", + "type": "array" + }, + "SchemaValidationConfigs": { + "items": { + "$ref": "#/definitions/AWS::Lambda::EventSourceMapping.SchemaValidationConfig" + }, + "markdownDescription": "An array of schema validation configuration objects, which tell Lambda the message attributes you want to validate and filter using your schema registry.", + "title": "SchemaValidationConfigs", + "type": "array" + } + } + }, + "AWS::Lambda::EventSourceMapping.SchemaRegistryAccessConfig": { + "additionalProperties": false, + "type": "object", + "properties": { + "Type": { + "markdownDescription": "The type of authentication Lambda uses to access your schema registry.", + "title": "Type", + "type": "string" + }, + "URI": { + "markdownDescription": "The URI of the secret (Secrets Manager secret ARN) to authenticate with your schema registry.", + "title": "URI", + "type": "string" + } + } + }, + "AWS::Lambda::EventSourceMapping.SchemaValidationConfig": { + "additionalProperties": false, + "type": "object", + "properties": { + "Attribute": { + "markdownDescription": "The attribute you want your schema registry to validate and filter for.", + "type": "string", + "title": "Attribute" + } + } + }, "AWS::Lambda::EventSourceMapping.DestinationConfig": { "additionalProperties": false, "properties": { @@ -142731,9 +142745,14 @@ "additionalProperties": false, "properties": { "ConsumerGroupId": { - "markdownDescription": "The identifier for the Kafka consumer group to join. The consumer group ID must be unique among all your Kafka event sources. After creating a Kafka event source mapping with the consumer group ID specified, you cannot update this value. For more information, see [Customizable consumer group ID](https://docs.aws.amazon.com/lambda/latest/dg/with-msk.html#services-msk-consumer-group-id) .", + "markdownDescription": "The identifier for the Kafka consumer group to join. The consumer group ID must be unique among all your Kafka event sources. After creating a Kafka event source mapping with the consumer group ID specified, you cannot update this value. For more information, see [Customizable consumer group ID](https://docs.aws.amazon.com/lambda/latest/dg/with-kafka-process.html#services-smaa-topic-add) .", "title": "ConsumerGroupId", "type": "string" + }, + "SchemaRegistryConfig": { + "markdownDescription": "Specific configuration settings for a Kafka schema registry.", + "title": "SchemaRegistryConfig", + "$ref": "#/definitions/AWS::Lambda::EventSourceMapping.SchemaRegistryConfig" } }, "type": "object" @@ -143739,12 +143758,12 @@ "additionalProperties": false, "properties": { "RuntimeVersionArn": { - "markdownDescription": "", + "markdownDescription": "The ARN of the runtime version you want the function to use.\n\n> This is only required if you're using the *Manual* runtime update mode.", "title": "RuntimeVersionArn", "type": "string" }, "UpdateRuntimeOn": { - "markdownDescription": "", + "markdownDescription": "Specify the runtime update mode.\n\n- *Auto (default)* - Automatically update to the most recent and secure runtime version using a [Two-phase runtime version rollout](https://docs.aws.amazon.com/lambda/latest/dg/runtimes-update.html#runtime-management-two-phase) . This is the best choice for most customers to ensure they always benefit from runtime updates.\n- *FunctionUpdate* - Lambda updates the runtime of you function to the most recent and secure runtime version when you update your function. This approach synchronizes runtime updates with function deployments, giving you control over when runtime updates are applied and allowing you to detect and mitigate rare runtime update incompatibilities early. When using this setting, you need to regularly update your functions to keep their runtime up-to-date.\n- *Manual* - You specify a runtime version in your function configuration. The function will use this runtime version indefinitely. In the rare case where a new runtime version is incompatible with an existing function, this allows you to roll back your function to an earlier runtime version. For more information, see [Roll back a runtime version](https://docs.aws.amazon.com/lambda/latest/dg/runtimes-update.html#runtime-management-rollback) .\n\n*Valid Values* : `Auto` | `FunctionUpdate` | `Manual`", "title": "UpdateRuntimeOn", "type": "string" } @@ -152616,7 +152635,7 @@ "type": "string" }, "ServerProperties": { - "markdownDescription": "Contents of the `server.properties` file. When using this property, you must ensure that the contents of the file are base64 encoded. When using the console, the SDK, or the AWS CLI , the contents of `server.properties` can be in plaintext.", + "markdownDescription": "Contents of the `server.properties` file. When using the console, the SDK, or the AWS CLI , the contents of `server.properties` can be in plaintext.", "title": "ServerProperties", "type": "string" } @@ -156416,7 +156435,7 @@ "title": "Maintenance" }, "Name": { - "markdownDescription": "A name for this audio selector. The AudioDescription (in an output) references this name in order to identify a specific input audio to include in that output.", + "markdownDescription": "Name of channel.", "title": "Name", "type": "string" }, @@ -163628,7 +163647,7 @@ "items": { "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.HlsManifestConfiguration" }, - "markdownDescription": "The HLS manfiests associated with the origin endpoint configuration.", + "markdownDescription": "The HLS manifests associated with the origin endpoint configuration.", "title": "HlsManifests", "type": "array" }, @@ -163842,7 +163861,7 @@ "title": "FilterConfiguration" }, "ManifestName": { - "markdownDescription": "A short short string that's appended to the endpoint URL. The manifest name creates a unique path to this endpoint. If you don't enter a value, MediaPackage uses the default manifest name, `index` . MediaPackage automatically inserts the format extension, such as `.m3u8` . You can't use the same manifest name if you use HLS manifest and low-latency HLS manifest. The `manifestName` on the `HLSManifest` object overrides the `manifestName` you provided on the `originEndpoint` object.", + "markdownDescription": "A short string that's appended to the endpoint URL. The manifest name creates a unique path to this endpoint. If you don't enter a value, MediaPackage uses the default manifest name, `index` . MediaPackage automatically inserts the format extension, such as `.m3u8` . You can't use the same manifest name if you use HLS manifest and low-latency HLS manifest. The `manifestName` on the `HLSManifest` object overrides the `manifestName` you provided on the `originEndpoint` object.", "title": "ManifestName", "type": "string" }, @@ -166720,7 +166739,7 @@ "items": { "$ref": "#/definitions/AWS::NetworkFirewall::Firewall.SubnetMapping" }, - "markdownDescription": "The public subnets that Network Firewall is using for the firewall. Each subnet must belong to a different Availability Zone.", + "markdownDescription": "The primary public subnets that Network Firewall is using for the firewall. Network Firewall creates a firewall endpoint in each subnet. Create a subnet mapping for each Availability Zone where you want to use the firewall.\n\nThese subnets are all defined for a single, primary VPC, and each must belong to a different Availability Zone. Each of these subnets establishes the availability of the firewall in its Availability Zone.\n\nIn addition to these subnets, you can define other endpoints for the firewall in `VpcEndpointAssociation` resources. You can define these additional endpoints for any VPC, and for any of the Availability Zones where the firewall resource already has a subnet mapping. VPC endpoint associations give you the ability to protect multiple VPCs using a single firewall, and to define multiple firewall endpoints for a VPC in a single Availability Zone.", "title": "SubnetMappings", "type": "array" }, @@ -169712,58 +169731,42 @@ "additionalProperties": false, "properties": { "Description": { - "markdownDescription": "A human-readable description of the launch profile.", - "title": "Description", "type": "string" }, "Ec2SubnetIds": { "items": { "type": "string" }, - "markdownDescription": "Unique identifiers for a collection of EC2 subnets.", - "title": "Ec2SubnetIds", "type": "array" }, "LaunchProfileProtocolVersions": { "items": { "type": "string" }, - "markdownDescription": "The version number of the protocol that is used by the launch profile. The only valid version is \"2021-03-31\".", - "title": "LaunchProfileProtocolVersions", "type": "array" }, "Name": { - "markdownDescription": "A friendly name for the launch profile.", - "title": "Name", "type": "string" }, "StreamConfiguration": { - "$ref": "#/definitions/AWS::NimbleStudio::LaunchProfile.StreamConfiguration", - "markdownDescription": "A configuration for a streaming session.", - "title": "StreamConfiguration" + "$ref": "#/definitions/AWS::NimbleStudio::LaunchProfile.StreamConfiguration" }, "StudioComponentIds": { "items": { "type": "string" }, - "markdownDescription": "Unique identifiers for a collection of studio components that can be used with this launch profile.", - "title": "StudioComponentIds", "type": "array" }, "StudioId": { - "markdownDescription": "The unique identifier for a studio resource. In Nimble Studio, all other resources are contained in a studio resource.", - "title": "StudioId", "type": "string" }, "Tags": { "additionalProperties": true, - "markdownDescription": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" } }, - "title": "Tags", "type": "object" } }, @@ -169802,60 +169805,40 @@ "additionalProperties": false, "properties": { "AutomaticTerminationMode": { - "markdownDescription": "Indicates if a streaming session created from this launch profile should be terminated automatically or retained without termination after being in a `STOPPED` state.\n\n- When `ACTIVATED` , the streaming session is scheduled for termination after being in the `STOPPED` state for the time specified in `maxStoppedSessionLengthInMinutes` .\n- When `DEACTIVATED` , the streaming session can remain in the `STOPPED` state indefinitely.\n\nThis parameter is only allowed when `sessionPersistenceMode` is `ACTIVATED` . When allowed, the default value for this parameter is `DEACTIVATED` .", - "title": "AutomaticTerminationMode", "type": "string" }, "ClipboardMode": { - "markdownDescription": "Allows or deactivates the use of the system clipboard to copy and paste between the streaming session and streaming client.", - "title": "ClipboardMode", "type": "string" }, "Ec2InstanceTypes": { "items": { "type": "string" }, - "markdownDescription": "The EC2 instance types that users can select from when launching a streaming session with this launch profile.", - "title": "Ec2InstanceTypes", "type": "array" }, "MaxSessionLengthInMinutes": { - "markdownDescription": "The length of time, in minutes, that a streaming session can be active before it is stopped or terminated. After this point, Nimble Studio automatically terminates or stops the session. The default length of time is 690 minutes, and the maximum length of time is 30 days.", - "title": "MaxSessionLengthInMinutes", "type": "number" }, "MaxStoppedSessionLengthInMinutes": { - "markdownDescription": "Integer that determines if you can start and stop your sessions and how long a session can stay in the `STOPPED` state. The default value is 0. The maximum value is 5760.\n\nThis field is allowed only when `sessionPersistenceMode` is `ACTIVATED` and `automaticTerminationMode` is `ACTIVATED` .\n\nIf the value is set to 0, your sessions can\u2019t be `STOPPED` . If you then call `StopStreamingSession` , the session fails. If the time that a session stays in the `READY` state exceeds the `maxSessionLengthInMinutes` value, the session will automatically be terminated (instead of `STOPPED` ).\n\nIf the value is set to a positive number, the session can be stopped. You can call `StopStreamingSession` to stop sessions in the `READY` state. If the time that a session stays in the `READY` state exceeds the `maxSessionLengthInMinutes` value, the session will automatically be stopped (instead of terminated).", - "title": "MaxStoppedSessionLengthInMinutes", "type": "number" }, "SessionBackup": { - "$ref": "#/definitions/AWS::NimbleStudio::LaunchProfile.StreamConfigurationSessionBackup", - "markdownDescription": "Information about the streaming session backup.", - "title": "SessionBackup" + "$ref": "#/definitions/AWS::NimbleStudio::LaunchProfile.StreamConfigurationSessionBackup" }, "SessionPersistenceMode": { - "markdownDescription": "Determine if a streaming session created from this launch profile can configure persistent storage. This means that `volumeConfiguration` and `automaticTerminationMode` are configured.", - "title": "SessionPersistenceMode", "type": "string" }, "SessionStorage": { - "$ref": "#/definitions/AWS::NimbleStudio::LaunchProfile.StreamConfigurationSessionStorage", - "markdownDescription": "The upload storage for a streaming session.", - "title": "SessionStorage" + "$ref": "#/definitions/AWS::NimbleStudio::LaunchProfile.StreamConfigurationSessionStorage" }, "StreamingImageIds": { "items": { "type": "string" }, - "markdownDescription": "The streaming images that users can select from when launching a streaming session with this launch profile.", - "title": "StreamingImageIds", "type": "array" }, "VolumeConfiguration": { - "$ref": "#/definitions/AWS::NimbleStudio::LaunchProfile.VolumeConfiguration", - "markdownDescription": "Custom volume configuration for the root volumes that are attached to streaming sessions.\n\nThis parameter is only allowed when `sessionPersistenceMode` is `ACTIVATED` .", - "title": "VolumeConfiguration" + "$ref": "#/definitions/AWS::NimbleStudio::LaunchProfile.VolumeConfiguration" } }, "required": [ @@ -169869,13 +169852,9 @@ "additionalProperties": false, "properties": { "MaxBackupsToRetain": { - "markdownDescription": "The maximum number of backups that each streaming session created from this launch profile can have.", - "title": "MaxBackupsToRetain", "type": "number" }, "Mode": { - "markdownDescription": "Specifies how artists sessions are backed up.\n\nConfigures backups for streaming sessions launched with this launch profile. The default value is `DEACTIVATED` , which means that backups are deactivated. To allow backups, set this value to `AUTOMATIC` .", - "title": "Mode", "type": "string" } }, @@ -169888,14 +169867,10 @@ "items": { "type": "string" }, - "markdownDescription": "Allows artists to upload files to their workstations. The only valid option is `UPLOAD` .", - "title": "Mode", "type": "array" }, "Root": { - "$ref": "#/definitions/AWS::NimbleStudio::LaunchProfile.StreamingSessionStorageRoot", - "markdownDescription": "The configuration for the upload storage root of the streaming session.", - "title": "Root" + "$ref": "#/definitions/AWS::NimbleStudio::LaunchProfile.StreamingSessionStorageRoot" } }, "required": [ @@ -169907,13 +169882,9 @@ "additionalProperties": false, "properties": { "Linux": { - "markdownDescription": "The folder path in Linux workstations where files are uploaded.", - "title": "Linux", "type": "string" }, "Windows": { - "markdownDescription": "The folder path in Windows workstations where files are uploaded.", - "title": "Windows", "type": "string" } }, @@ -169923,18 +169894,12 @@ "additionalProperties": false, "properties": { "Iops": { - "markdownDescription": "The number of I/O operations per second for the root volume that is attached to streaming session.", - "title": "Iops", "type": "number" }, "Size": { - "markdownDescription": "The size of the root volume that is attached to the streaming session. The root volume size is measured in GiBs.", - "title": "Size", "type": "number" }, "Throughput": { - "markdownDescription": "The throughput to provision for the root volume that is attached to the streaming session. The throughput is measured in MiB/s.", - "title": "Throughput", "type": "number" } }, @@ -169976,34 +169941,24 @@ "additionalProperties": false, "properties": { "Description": { - "markdownDescription": "A human-readable description of the streaming image.", - "title": "Description", "type": "string" }, "Ec2ImageId": { - "markdownDescription": "The ID of an EC2 machine image with which to create the streaming image.", - "title": "Ec2ImageId", "type": "string" }, "Name": { - "markdownDescription": "A friendly name for a streaming image resource.", - "title": "Name", "type": "string" }, "StudioId": { - "markdownDescription": "The unique identifier for a studio resource. In Nimble Studio, all other resources are contained in a studio resource.", - "title": "StudioId", "type": "string" }, "Tags": { "additionalProperties": true, - "markdownDescription": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" } }, - "title": "Tags", "type": "object" } }, @@ -170039,13 +169994,9 @@ "additionalProperties": false, "properties": { "KeyArn": { - "markdownDescription": "The ARN for a KMS key that is used to encrypt studio data.", - "title": "KeyArn", "type": "string" }, "KeyType": { - "markdownDescription": "The type of KMS key that is used to encrypt studio data.", - "title": "KeyType", "type": "string" } }, @@ -170090,39 +170041,27 @@ "additionalProperties": false, "properties": { "AdminRoleArn": { - "markdownDescription": "The IAM role that studio admins assume when logging in to the Nimble Studio portal.", - "title": "AdminRoleArn", "type": "string" }, "DisplayName": { - "markdownDescription": "A friendly name for the studio.", - "title": "DisplayName", "type": "string" }, "StudioEncryptionConfiguration": { - "$ref": "#/definitions/AWS::NimbleStudio::Studio.StudioEncryptionConfiguration", - "markdownDescription": "Configuration of the encryption method that is used for the studio.", - "title": "StudioEncryptionConfiguration" + "$ref": "#/definitions/AWS::NimbleStudio::Studio.StudioEncryptionConfiguration" }, "StudioName": { - "markdownDescription": "The name of the studio, as included in the URL when accessing it in the Nimble Studio portal.", - "title": "StudioName", "type": "string" }, "Tags": { "additionalProperties": true, - "markdownDescription": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" } }, - "title": "Tags", "type": "object" }, "UserRoleArn": { - "markdownDescription": "The IAM role that studio users assume when logging in to the Nimble Studio portal.", - "title": "UserRoleArn", "type": "string" } }, @@ -170159,13 +170098,9 @@ "additionalProperties": false, "properties": { "KeyArn": { - "markdownDescription": "The ARN for a KMS key that is used to encrypt studio data.", - "title": "KeyArn", "type": "string" }, "KeyType": { - "markdownDescription": "The type of KMS key that is used to encrypt studio data.", - "title": "KeyType", "type": "string" } }, @@ -170210,68 +170145,48 @@ "additionalProperties": false, "properties": { "Configuration": { - "$ref": "#/definitions/AWS::NimbleStudio::StudioComponent.StudioComponentConfiguration", - "markdownDescription": "The configuration of the studio component, based on component type.", - "title": "Configuration" + "$ref": "#/definitions/AWS::NimbleStudio::StudioComponent.StudioComponentConfiguration" }, "Description": { - "markdownDescription": "A human-readable description for the studio component resource.", - "title": "Description", "type": "string" }, "Ec2SecurityGroupIds": { "items": { "type": "string" }, - "markdownDescription": "The EC2 security groups that control access to the studio component.", - "title": "Ec2SecurityGroupIds", "type": "array" }, "InitializationScripts": { "items": { "$ref": "#/definitions/AWS::NimbleStudio::StudioComponent.StudioComponentInitializationScript" }, - "markdownDescription": "Initialization scripts for studio components.", - "title": "InitializationScripts", "type": "array" }, "Name": { - "markdownDescription": "A friendly name for the studio component resource.", - "title": "Name", "type": "string" }, "ScriptParameters": { "items": { "$ref": "#/definitions/AWS::NimbleStudio::StudioComponent.ScriptParameterKeyValue" }, - "markdownDescription": "Parameters for the studio component scripts.", - "title": "ScriptParameters", "type": "array" }, "StudioId": { - "markdownDescription": "The unique identifier for a studio resource. In Nimble Studio, all other resources are contained in a studio resource.", - "title": "StudioId", "type": "string" }, "Subtype": { - "markdownDescription": "The specific subtype of a studio component.", - "title": "Subtype", "type": "string" }, "Tags": { "additionalProperties": true, - "markdownDescription": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" } }, - "title": "Tags", "type": "object" }, "Type": { - "markdownDescription": "The type of the studio component.", - "title": "Type", "type": "string" } }, @@ -170307,13 +170222,9 @@ "additionalProperties": false, "properties": { "Name": { - "markdownDescription": "The name for the LDAP attribute.", - "title": "Name", "type": "string" }, "Value": { - "markdownDescription": "The value for the LDAP attribute.", - "title": "Value", "type": "string" } }, @@ -170326,18 +170237,12 @@ "items": { "$ref": "#/definitions/AWS::NimbleStudio::StudioComponent.ActiveDirectoryComputerAttribute" }, - "markdownDescription": "A collection of custom attributes for an Active Directory computer.", - "title": "ComputerAttributes", "type": "array" }, "DirectoryId": { - "markdownDescription": "The directory ID of the AWS Directory Service for Microsoft Active Directory to access using this studio component.", - "title": "DirectoryId", "type": "string" }, "OrganizationalUnitDistinguishedName": { - "markdownDescription": "The distinguished name (DN) and organizational unit (OU) of an Active Directory computer.", - "title": "OrganizationalUnitDistinguishedName", "type": "string" } }, @@ -170347,13 +170252,9 @@ "additionalProperties": false, "properties": { "ActiveDirectoryUser": { - "markdownDescription": "The name of an Active Directory user that is used on ComputeFarm worker instances.", - "title": "ActiveDirectoryUser", "type": "string" }, "Endpoint": { - "markdownDescription": "The endpoint of the ComputeFarm that is accessed by the studio component resource.", - "title": "Endpoint", "type": "string" } }, @@ -170363,8 +170264,6 @@ "additionalProperties": false, "properties": { "Endpoint": { - "markdownDescription": "The endpoint of the license service that is accessed by the studio component resource.", - "title": "Endpoint", "type": "string" } }, @@ -170374,13 +170273,9 @@ "additionalProperties": false, "properties": { "Key": { - "markdownDescription": "A script parameter key.", - "title": "Key", "type": "string" }, "Value": { - "markdownDescription": "A script parameter value.", - "title": "Value", "type": "string" } }, @@ -170390,28 +170285,18 @@ "additionalProperties": false, "properties": { "Endpoint": { - "markdownDescription": "The endpoint of the shared file system that is accessed by the studio component resource.", - "title": "Endpoint", "type": "string" }, "FileSystemId": { - "markdownDescription": "The unique identifier for a file system.", - "title": "FileSystemId", "type": "string" }, "LinuxMountPoint": { - "markdownDescription": "The mount location for a shared file system on a Linux virtual workstation.", - "title": "LinuxMountPoint", "type": "string" }, "ShareName": { - "markdownDescription": "The name of the file share.", - "title": "ShareName", "type": "string" }, "WindowsMountDrive": { - "markdownDescription": "The mount location for a shared file system on a Windows virtual workstation.", - "title": "WindowsMountDrive", "type": "string" } }, @@ -170421,24 +170306,16 @@ "additionalProperties": false, "properties": { "ActiveDirectoryConfiguration": { - "$ref": "#/definitions/AWS::NimbleStudio::StudioComponent.ActiveDirectoryConfiguration", - "markdownDescription": "The configuration for a AWS Directory Service for Microsoft Active Directory studio resource.", - "title": "ActiveDirectoryConfiguration" + "$ref": "#/definitions/AWS::NimbleStudio::StudioComponent.ActiveDirectoryConfiguration" }, "ComputeFarmConfiguration": { - "$ref": "#/definitions/AWS::NimbleStudio::StudioComponent.ComputeFarmConfiguration", - "markdownDescription": "The configuration for a render farm that is associated with a studio resource.", - "title": "ComputeFarmConfiguration" + "$ref": "#/definitions/AWS::NimbleStudio::StudioComponent.ComputeFarmConfiguration" }, "LicenseServiceConfiguration": { - "$ref": "#/definitions/AWS::NimbleStudio::StudioComponent.LicenseServiceConfiguration", - "markdownDescription": "The configuration for a license service that is associated with a studio resource.", - "title": "LicenseServiceConfiguration" + "$ref": "#/definitions/AWS::NimbleStudio::StudioComponent.LicenseServiceConfiguration" }, "SharedFileSystemConfiguration": { - "$ref": "#/definitions/AWS::NimbleStudio::StudioComponent.SharedFileSystemConfiguration", - "markdownDescription": "The configuration for a shared file storage system that is associated with a studio resource.", - "title": "SharedFileSystemConfiguration" + "$ref": "#/definitions/AWS::NimbleStudio::StudioComponent.SharedFileSystemConfiguration" } }, "type": "object" @@ -170447,23 +170324,15 @@ "additionalProperties": false, "properties": { "LaunchProfileProtocolVersion": { - "markdownDescription": "The version number of the protocol that is used by the launch profile. The only valid version is \"2021-03-31\".", - "title": "LaunchProfileProtocolVersion", "type": "string" }, "Platform": { - "markdownDescription": "The platform of the initialization script, either Windows or Linux.", - "title": "Platform", "type": "string" }, "RunContext": { - "markdownDescription": "The method to use when running the initialization script.", - "title": "RunContext", "type": "string" }, "Script": { - "markdownDescription": "The initialization script.", - "title": "Script", "type": "string" } }, @@ -170722,7 +170591,7 @@ "additionalProperties": false, "properties": { "LabelTemplate": { - "markdownDescription": "Specify a friendly human-readable name to use to identify this source account when you are viewing data from it in the monitoring account.\n\nYou can include the following variables in your template:\n\n- `$AccountName` is the name of the account\n- `$AccountEmail` is a globally-unique email address, which includes the email domain, such as `mariagarcia@example.com`\n- `$AccountEmailNoDomain` is an email address without the domain name, such as `mariagarcia`", + "markdownDescription": "Specify a friendly human-readable name to use to identify this source account when you are viewing data from it in the monitoring account.\n\nYou can include the following variables in your template:\n\n- `$AccountName` is the name of the account\n- `$AccountEmail` is a globally-unique email address, which includes the email domain, such as `mariagarcia@example.com`\n- `$AccountEmailNoDomain` is an email address without the domain name, such as `mariagarcia`\n\n> In the and Regions, the only supported option is to use custom labels, and the `$AccountName` , `$AccountEmail` , and `$AccountEmailNoDomain` variables all resolve as *account-id* instead of the specified variable.", "title": "LabelTemplate", "type": "string" }, @@ -170735,7 +170604,7 @@ "items": { "type": "string" }, - "markdownDescription": "An array of strings that define which types of data that the source account shares with the monitoring account. Valid values are `AWS::CloudWatch::Metric | AWS::Logs::LogGroup | AWS::XRay::Trace | AWS::ApplicationInsights::Application | AWS::InternetMonitor::Monitor | AWS::ApplicationSignals::Service | AWS::ApplicationSignals::ServiceLevelObjective` .", + "markdownDescription": "An array of strings that define which types of data that the source account shares with the monitoring account. Valid values are `AWS::CloudWatch::Metric | AWS::Logs::LogGroup | AWS::XRay::Trace | AWS::ApplicationInsights::Application | AWS::InternetMonitor::Monitor` .", "title": "ResourceTypes", "type": "array" }, @@ -170788,7 +170657,7 @@ "properties": { "LogGroupConfiguration": { "$ref": "#/definitions/AWS::Oam::Link.LinkFilter", - "markdownDescription": "Use this structure to filter which log groups are to send log events from the source account to the monitoring account.", + "markdownDescription": "Use this structure to filter which log groups are to share log events from this source account to the monitoring account.", "title": "LogGroupConfiguration" }, "MetricConfiguration": { @@ -170803,7 +170672,7 @@ "additionalProperties": false, "properties": { "Filter": { - "markdownDescription": "", + "markdownDescription": "When used in `MetricConfiguration` this field specifies which metric namespaces are to be shared with the monitoring account\n\nWhen used in `LogGroupConfiguration` this field specifies which log groups are to share their log events with the monitoring account. Use the term `LogGroupName` and one or more of the following operands.\n\nUse single quotation marks (') around log group names and metric namespaces.\n\nThe matching of log group names and metric namespaces is case sensitive. Each filter has a limit of five conditional operands. Conditional operands are `AND` and `OR` .\n\n- `=` and `!=`\n- `AND`\n- `OR`\n- `LIKE` and `NOT LIKE` . These can be used only as prefix searches. Include a `%` at the end of the string that you want to search for and include.\n- `IN` and `NOT IN` , using parentheses `( )`\n\nExamples:\n\n- `Namespace NOT LIKE 'AWS/%'` includes only namespaces that don't start with `AWS/` , such as custom namespaces.\n- `Namespace IN ('AWS/EC2', 'AWS/ELB', 'AWS/S3')` includes only the metrics in the EC2, Elastic Load Balancing , and Amazon S3 namespaces.\n- `Namespace = 'AWS/EC2' OR Namespace NOT LIKE 'AWS/%'` includes only the EC2 namespace and your custom namespaces.\n- `LogGroupName IN ('This-Log-Group', 'Other-Log-Group')` includes only the log groups with names `This-Log-Group` and `Other-Log-Group` .\n- `LogGroupName NOT IN ('Private-Log-Group', 'Private-Log-Group-2')` includes all log groups except the log groups with names `Private-Log-Group` and `Private-Log-Group-2` .\n- `LogGroupName LIKE 'aws/lambda/%' OR LogGroupName LIKE 'AWSLogs%'` includes all log groups that have names that start with `aws/lambda/` or `AWSLogs` .\n\n> If you are updating a link that uses filters, you can specify `*` as the only value for the `filter` parameter to delete the filter and share all log groups with the monitoring account.", "title": "Filter", "type": "string" } @@ -192333,7 +192202,7 @@ "type": "array" }, "Principal": { - "markdownDescription": "The Amazon Resource Name (ARN) of the principal. This can be one of the following:\n\n- The ARN of an Amazon QuickSight user or group associated with a data source or dataset. (This is common.)\n- The ARN of an Amazon QuickSight user, group, or namespace associated with an analysis, dashboard, template, or theme. (This is common.)\n- The ARN of an AWS account root: This is an IAM ARN rather than a Amazon QuickSight ARN. Use this option only to share resources (templates) across AWS accounts . (This is less common.)", + "markdownDescription": "The Amazon Resource Name (ARN) of the principal. This can be one of the following:\n\n- The ARN of an Amazon QuickSight user or group associated with a data source or dataset. (This is common.)\n- The ARN of an Amazon QuickSight user, group, or namespace associated with an analysis, dashboard, template, or theme. (This is common.)\n- The ARN of an AWS account root: This is an IAM ARN rather than a QuickSight ARN. Use this option only to share resources (templates) across AWS accounts . (This is less common.)", "title": "Principal", "type": "string" } @@ -204866,7 +204735,7 @@ "type": "array" }, "Principal": { - "markdownDescription": "The Amazon Resource Name (ARN) of the principal. This can be one of the following:\n\n- The ARN of an Amazon QuickSight user or group associated with a data source or dataset. (This is common.)\n- The ARN of an Amazon QuickSight user, group, or namespace associated with an analysis, dashboard, template, or theme. (This is common.)\n- The ARN of an AWS account root: This is an IAM ARN rather than a Amazon QuickSight ARN. Use this option only to share resources (templates) across AWS accounts . (This is less common.)", + "markdownDescription": "The Amazon Resource Name (ARN) of the principal. This can be one of the following:\n\n- The ARN of an Amazon QuickSight user or group associated with a data source or dataset. (This is common.)\n- The ARN of an Amazon QuickSight user, group, or namespace associated with an analysis, dashboard, template, or theme. (This is common.)\n- The ARN of an AWS account root: This is an IAM ARN rather than a QuickSight ARN. Use this option only to share resources (templates) across AWS accounts . (This is less common.)", "title": "Principal", "type": "string" } @@ -208274,7 +208143,7 @@ "items": { "type": "string" }, - "markdownDescription": "An array of Amazon Resource Names (ARNs) for Amazon QuickSight users or groups.", + "markdownDescription": "An array of Amazon Resource Names (ARNs) for QuickSight users or groups.", "title": "Principals", "type": "array" } @@ -208701,7 +208570,7 @@ "additionalProperties": false, "properties": { "UniqueKey": { - "markdownDescription": "A value that indicates that a row in a table is uniquely identified by the columns in a join key. This is used by Amazon QuickSight to optimize query performance.", + "markdownDescription": "A value that indicates that a row in a table is uniquely identified by the columns in a join key. This is used by QuickSight to optimize query performance.", "title": "UniqueKey", "type": "boolean" } @@ -208986,7 +208855,7 @@ "type": "array" }, "Principal": { - "markdownDescription": "The Amazon Resource Name (ARN) of the principal. This can be one of the following:\n\n- The ARN of an Amazon QuickSight user or group associated with a data source or dataset. (This is common.)\n- The ARN of an Amazon QuickSight user, group, or namespace associated with an analysis, dashboard, template, or theme. (This is common.)\n- The ARN of an AWS account root: This is an IAM ARN rather than a Amazon QuickSight ARN. Use this option only to share resources (templates) across AWS accounts . (This is less common.)", + "markdownDescription": "The Amazon Resource Name (ARN) of the principal. This can be one of the following:\n\n- The ARN of an Amazon QuickSight user or group associated with a data source or dataset. (This is common.)\n- The ARN of an Amazon QuickSight user, group, or namespace associated with an analysis, dashboard, template, or theme. (This is common.)\n- The ARN of an AWS account root: This is an IAM ARN rather than a QuickSight ARN. Use this option only to share resources (templates) across AWS accounts . (This is less common.)", "title": "Principal", "type": "string" } @@ -209888,7 +209757,7 @@ "type": "array" }, "Principal": { - "markdownDescription": "The Amazon Resource Name (ARN) of the principal. This can be one of the following:\n\n- The ARN of an Amazon QuickSight user or group associated with a data source or dataset. (This is common.)\n- The ARN of an Amazon QuickSight user, group, or namespace associated with an analysis, dashboard, template, or theme. (This is common.)\n- The ARN of an AWS account root: This is an IAM ARN rather than a Amazon QuickSight ARN. Use this option only to share resources (templates) across AWS accounts . (This is less common.)", + "markdownDescription": "The Amazon Resource Name (ARN) of the principal. This can be one of the following:\n\n- The ARN of an Amazon QuickSight user or group associated with a data source or dataset. (This is common.)\n- The ARN of an Amazon QuickSight user, group, or namespace associated with an analysis, dashboard, template, or theme. (This is common.)\n- The ARN of an AWS account root: This is an IAM ARN rather than a QuickSight ARN. Use this option only to share resources (templates) across AWS accounts . (This is less common.)", "title": "Principal", "type": "string" } @@ -210191,7 +210060,7 @@ "additionalProperties": false, "properties": { "RefreshType": { - "markdownDescription": "The type of refresh that a dataset undergoes. Valid values are as follows:\n\n- `FULL_REFRESH` : A complete refresh of a dataset.\n- `INCREMENTAL_REFRESH` : A partial refresh of some rows of a dataset, based on the time window specified.\n\nFor more information on full and incremental refreshes, see [Refreshing SPICE data](https://docs.aws.amazon.com/quicksight/latest/user/refreshing-imported-data.html) in the *Amazon QuickSight User Guide* .", + "markdownDescription": "The type of refresh that a dataset undergoes. Valid values are as follows:\n\n- `FULL_REFRESH` : A complete refresh of a dataset.\n- `INCREMENTAL_REFRESH` : A partial refresh of some rows of a dataset, based on the time window specified.\n\nFor more information on full and incremental refreshes, see [Refreshing SPICE data](https://docs.aws.amazon.com/quicksight/latest/user/refreshing-imported-data.html) in the *QuickSight User Guide* .", "title": "RefreshType", "type": "string" }, @@ -219257,7 +219126,7 @@ "type": "array" }, "Principal": { - "markdownDescription": "The Amazon Resource Name (ARN) of the principal. This can be one of the following:\n\n- The ARN of an Amazon QuickSight user or group associated with a data source or dataset. (This is common.)\n- The ARN of an Amazon QuickSight user, group, or namespace associated with an analysis, dashboard, template, or theme. (This is common.)\n- The ARN of an AWS account root: This is an IAM ARN rather than a Amazon QuickSight ARN. Use this option only to share resources (templates) across AWS accounts . (This is less common.)", + "markdownDescription": "The Amazon Resource Name (ARN) of the principal. This can be one of the following:\n\n- The ARN of an Amazon QuickSight user or group associated with a data source or dataset. (This is common.)\n- The ARN of an Amazon QuickSight user, group, or namespace associated with an analysis, dashboard, template, or theme. (This is common.)\n- The ARN of an AWS account root: This is an IAM ARN rather than a QuickSight ARN. Use this option only to share resources (templates) across AWS accounts . (This is less common.)", "title": "Principal", "type": "string" } @@ -222728,7 +222597,7 @@ "type": "array" }, "Principal": { - "markdownDescription": "The Amazon Resource Name (ARN) of the principal. This can be one of the following:\n\n- The ARN of an Amazon QuickSight user or group associated with a data source or dataset. (This is common.)\n- The ARN of an Amazon QuickSight user, group, or namespace associated with an analysis, dashboard, template, or theme. (This is common.)\n- The ARN of an AWS account root: This is an IAM ARN rather than a Amazon QuickSight ARN. Use this option only to share resources (templates) across AWS accounts . (This is less common.)", + "markdownDescription": "The Amazon Resource Name (ARN) of the principal. This can be one of the following:\n\n- The ARN of an Amazon QuickSight user or group associated with a data source or dataset. (This is common.)\n- The ARN of an Amazon QuickSight user, group, or namespace associated with an analysis, dashboard, template, or theme. (This is common.)\n- The ARN of an AWS account root: This is an IAM ARN rather than a QuickSight ARN. Use this option only to share resources (templates) across AWS accounts . (This is less common.)", "title": "Principal", "type": "string" } @@ -224429,7 +224298,7 @@ "type": "array" }, "AutoMinorVersionUpgrade": { - "markdownDescription": "Specifies whether minor engine upgrades are applied automatically to the DB cluster during the maintenance window. By default, minor engine upgrades are applied automatically.\n\nValid for Cluster Type: Aurora DB clusters and Multi-AZ DB cluster", + "markdownDescription": "Specifies whether minor engine upgrades are applied automatically to the DB cluster during the maintenance window. By default, minor engine upgrades are applied automatically.\n\nValid for Cluster Type: Aurora DB clusters and Multi-AZ DB cluster.\n\nFor more information about automatic minor version upgrades, see [Automatically upgrading the minor engine version](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_UpgradeDBInstance.Upgrading.html#USER_UpgradeDBInstance.Upgrading.AutoMinorVersionUpgrades) .", "title": "AutoMinorVersionUpgrade", "type": "boolean" }, @@ -225951,12 +225820,12 @@ "additionalProperties": false, "properties": { "ConnectionBorrowTimeout": { - "markdownDescription": "The number of seconds for a proxy to wait for a connection to become available in the connection pool. This setting only applies when the proxy has opened its maximum number of connections and all connections are busy with client sessions.\n\nDefault: `120`\n\nConstraints:\n\n- Must be between 0 and 3600.", + "markdownDescription": "The number of seconds for a proxy to wait for a connection to become available in the connection pool. This setting only applies when the proxy has opened its maximum number of connections and all connections are busy with client sessions.\n\nDefault: `120`\n\nConstraints:\n\n- Must be between 0 and 300.", "title": "ConnectionBorrowTimeout", "type": "number" }, "InitQuery": { - "markdownDescription": "Add an initialization query, or modify the current one. You can specify one or more SQL statements for the proxy to run when opening each new database connection. The setting is typically used with `SET` statements to make sure that each connection has identical settings. Make sure that the query you add is valid. To include multiple variables in a single `SET` statement, use comma separators.\n\nFor example: `SET variable1=value1, variable2=value2`\n\nFor multiple statements, use semicolons as the separator.\n\nDefault: no initialization query", + "markdownDescription": "Add an initialization query, or modify the current one. You can specify one or more SQL statements for the proxy to run when opening each new database connection. The setting is typically used with `SET` statements to make sure that each connection has identical settings. Make sure the query added here is valid. This is an optional field, so you can choose to leave it empty. For including multiple variables in a single SET statement, use a comma separator.\n\nFor example: `SET variable1=value1, variable2=value2`\n\nDefault: no initialization query", "title": "InitQuery", "type": "string" }, @@ -228561,7 +228430,7 @@ "items": { "$ref": "#/definitions/AWS::RedshiftServerless::Workgroup.ConfigParameter" }, - "markdownDescription": "A list of parameters to set for finer control over a database. Available options are `datestyle` , `enable_user_activity_logging` , `query_group` , `search_path` , `max_query_execution_time` , and `require_ssl` .", + "markdownDescription": "The key of the parameter. The options are `auto_mv` , `datestyle` , `enable_case_sensitive_identifier` , `enable_user_activity_logging` , `query_group` , `search_path` , `require_ssl` , `use_fips_ssl` , and query monitoring metrics that let you define performance boundaries. For more information about query monitoring rules and available metrics, see [Query monitoring metrics for Amazon Redshift Serverless](https://docs.aws.amazon.com/redshift/latest/dg/cm-c-wlm-query-monitoring-rules.html#cm-c-wlm-query-monitoring-metrics-serverless) .", "title": "ConfigParameters", "type": "array" }, @@ -228650,7 +228519,7 @@ "additionalProperties": false, "properties": { "ParameterKey": { - "markdownDescription": "The key of the parameter. The options are `datestyle` , `enable_user_activity_logging` , `query_group` , `search_path` , `max_query_execution_time` , and `require_ssl` .", + "markdownDescription": "The key of the parameter. The options are `auto_mv` , `datestyle` , `enable_case_sensitive_identifier` , `enable_user_activity_logging` , `query_group` , `search_path` , `require_ssl` , `use_fips_ssl` , and query monitoring metrics that let you define performance boundaries. For more information about query monitoring rules and available metrics, see [Query monitoring metrics for Amazon Redshift Serverless](https://docs.aws.amazon.com/redshift/latest/dg/cm-c-wlm-query-monitoring-rules.html#cm-c-wlm-query-monitoring-metrics-serverless) .", "title": "ParameterKey", "type": "string" }, @@ -236492,7 +236361,7 @@ "type": "string" }, "KeyPrefixEquals": { - "markdownDescription": "The object key name prefix when the redirect is applied. For example, to redirect requests for `ExamplePage.html` , the key prefix will be `ExamplePage.html` . To redirect request for all pages with the prefix `docs/` , the key prefix will be `/docs` , which identifies all objects in the docs/ folder.\n\nRequired when the parent element `Condition` is specified and sibling `HttpErrorCodeReturnedEquals` is not specified. If both conditions are specified, both must be true for the redirect to be applied.", + "markdownDescription": "The object key name prefix when the redirect is applied. For example, to redirect requests for `ExamplePage.html` , the key prefix will be `ExamplePage.html` . To redirect request for all pages with the prefix `docs/` , the key prefix will be `docs/` , which identifies all objects in the docs/ folder.\n\nRequired when the parent element `Condition` is specified and sibling `HttpErrorCodeReturnedEquals` is not specified. If both conditions are specified, both must be true for the redirect to be applied.", "title": "KeyPrefixEquals", "type": "string" } @@ -239170,7 +239039,7 @@ "items": { "type": "string" }, - "markdownDescription": "The types of events that Amazon SES sends to the specified event destinations.\n\n- `SEND` - The send request was successful and SES will attempt to deliver the message to the recipient\u2019s mail server. (If account-level or global suppression is being used, SES will still count it as a send, but delivery is suppressed.)\n- `REJECT` - SES accepted the email, but determined that it contained a virus and didn\u2019t attempt to deliver it to the recipient\u2019s mail server.\n- `BOUNCE` - ( *Hard bounce* ) The recipient's mail server permanently rejected the email. ( *Soft bounces* are only included when SES fails to deliver the email after retrying for a period of time.)\n- `COMPLAINT` - The email was successfully delivered to the recipient\u2019s mail server, but the recipient marked it as spam.\n- `DELIVERY` - SES successfully delivered the email to the recipient's mail server.\n- `OPEN` - The recipient received the message and opened it in their email client.\n- `CLICK` - The recipient clicked one or more links in the email.\n- `RENDERING_FAILURE` - The email wasn't sent because of a template rendering issue. This event type can occur when template data is missing, or when there is a mismatch between template parameters and data. (This event type only occurs when you send email using the [`SendTemplatedEmail`](https://docs.aws.amazon.com/ses/latest/APIReference/API_SendTemplatedEmail.html) or [`SendBulkTemplatedEmail`](https://docs.aws.amazon.com/ses/latest/APIReference/API_SendBulkTemplatedEmail.html) API operations.)\n- `DELIVERY_DELAY` - The email couldn't be delivered to the recipient\u2019s mail server because a temporary issue occurred. Delivery delays can occur, for example, when the recipient's inbox is full, or when the receiving email server experiences a transient issue.\n- `SUBSCRIPTION` - The email was successfully delivered, but the recipient updated their subscription preferences by clicking on an *unsubscribe* link as part of your [subscription management](https://docs.aws.amazon.com/ses/latest/dg/sending-email-subscription-management.html) .", + "markdownDescription": "The types of events that Amazon SES sends to the specified event destinations.\n\n- `SEND` - The send request was successful and SES will attempt to deliver the message to the recipient\u2019s mail server. (If account-level or global suppression is being used, SES will still count it as a send, but delivery is suppressed.)\n- `REJECT` - SES accepted the email, but determined that it contained a virus and didn\u2019t attempt to deliver it to the recipient\u2019s mail server.\n- `BOUNCE` - ( *Hard bounce* ) The recipient's mail server permanently rejected the email. ( *Soft bounces* are only included when SES fails to deliver the email after retrying for a period of time.)\n- `COMPLAINT` - The email was successfully delivered to the recipient\u2019s mail server, but the recipient marked it as spam.\n- `DELIVERY` - SES successfully delivered the email to the recipient's mail server.\n- `OPEN` - The recipient received the message and opened it in their email client.\n- `CLICK` - The recipient clicked one or more links in the email.\n- `RENDERING_FAILURE` - The email wasn't sent because of a template rendering issue. This event type can occur when template data is missing, or when there is a mismatch between template parameters and data. (This event type only occurs when you send email using the [`SendEmail`](https://docs.aws.amazon.com/ses/latest/APIReference-V2/API_SendEmail.html) or [`SendBulkEmail`](https://docs.aws.amazon.com/ses/latest/APIReference-V2/API_SendBulkEmail.html) API operations.)\n- `DELIVERY_DELAY` - The email couldn't be delivered to the recipient\u2019s mail server because a temporary issue occurred. Delivery delays can occur, for example, when the recipient's inbox is full, or when the receiving email server experiences a transient issue.\n- `SUBSCRIPTION` - The email was successfully delivered, but the recipient updated their subscription preferences by clicking on an *unsubscribe* link as part of your [subscription management](https://docs.aws.amazon.com/ses/latest/dg/sending-email-subscription-management.html) .", "title": "MatchingEventTypes", "type": "array" }, @@ -239949,12 +239818,12 @@ "additionalProperties": false, "properties": { "Encoding": { - "markdownDescription": "The encoding to use for the email within the Amazon SNS notification. UTF-8 is easier to use, but may not preserve all special characters when a message was encoded with a different encoding format. Base64 preserves all special characters. The default value is UTF-8.", + "markdownDescription": "The encoding to use for the email within the Amazon SNS notification. The default value is `UTF-8` . Use `BASE64` if you need to preserve all special characters, especially when the original message uses a different encoding format.", "title": "Encoding", "type": "string" }, "TopicArn": { - "markdownDescription": "The Amazon Resource Name (ARN) of the Amazon SNS topic to notify. You can find the ARN of a topic by using the [ListTopics](https://docs.aws.amazon.com/sns/latest/api/API_ListTopics.html) operation in Amazon SNS.\n\nFor more information about Amazon SNS topics, see the [Amazon SNS Developer Guide](https://docs.aws.amazon.com/sns/latest/dg/CreateTopic.html) .", + "markdownDescription": "The Amazon Resource Name (ARN) of the Amazon SNS Topic to which notification for the email received will be published.", "title": "TopicArn", "type": "string" } @@ -240139,7 +240008,7 @@ "type": "string" }, "TemplateName": { - "markdownDescription": "The name of the template. You will refer to this name when you send email using the `SendTemplatedEmail` or `SendBulkTemplatedEmail` operations.", + "markdownDescription": "The name of the template. You will refer to this name when you send email using the `SendEmail` or `SendBulkEmail` operations.", "title": "TemplateName", "type": "string" }, @@ -261439,12 +261308,12 @@ "type": "string" }, "S3Key": { - "markdownDescription": "The S3 key of your script. For more information, see [Working with Amazon S3 Objects](https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingObjects.html) .", + "markdownDescription": "The Amazon S3 key of your script. For more information, see [Working with Amazon S3 Objects](https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingObjects.html) .", "title": "S3Key", "type": "string" }, "S3ObjectVersion": { - "markdownDescription": "The S3 version ID of your script.", + "markdownDescription": "The Amazon S3 version ID of your script.", "title": "S3ObjectVersion", "type": "string" }, @@ -263447,7 +263316,7 @@ "additionalProperties": false, "properties": { "HomeDirectory": { - "markdownDescription": "The landing directory (folder) for a user when they log in to the server using the client.\n\nA `HomeDirectory` example is `/bucket_name/home/mydirectory` .\n\n> The `HomeDirectory` parameter is only used if `HomeDirectoryType` is set to `PATH` .", + "markdownDescription": "The landing directory (folder) for a user when they log in to the server using the client.\n\nA `HomeDirectory` example is `/bucket_name/home/mydirectory` .\n\n> You can use the `HomeDirectory` parameter for `HomeDirectoryType` when it is set to either `PATH` or `LOGICAL` .", "title": "HomeDirectory", "type": "string" }, @@ -264755,7 +264624,7 @@ "additionalProperties": false, "properties": { "StatusCode": { - "markdownDescription": "The HTTP response code.", + "markdownDescription": "The HTTP response code. Only `404` and `500` status codes are supported.", "title": "StatusCode", "type": "number" } @@ -264996,7 +264865,7 @@ "additionalProperties": false, "properties": { "StatusCode": { - "markdownDescription": "The HTTP response code.", + "markdownDescription": "The HTTP response code. Only `404` and `500` status codes are supported.", "title": "StatusCode", "type": "number" } @@ -268711,7 +268580,7 @@ "type": "string" }, "OversizeHandling": { - "markdownDescription": "What AWS WAF should do if the headers of the request are more numerous or larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request headers when they exceed 8 KB (8192 bytes) or 200 total headers. The underlying host service forwards a maximum of 200 headers and at most 8 KB of header contents to AWS WAF .\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available headers normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.", + "markdownDescription": "What AWS WAF should do if the headers determined by your match scope are more numerous or larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request headers when they exceed 8 KB (8192 bytes) or 200 total headers. The underlying host service forwards a maximum of 200 headers and at most 8 KB of header contents to AWS WAF .\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available headers normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.", "title": "OversizeHandling", "type": "string" } @@ -270213,7 +270082,7 @@ "type": "string" }, "OversizeHandling": { - "markdownDescription": "What AWS WAF should do if the headers of the request are more numerous or larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request headers when they exceed 8 KB (8192 bytes) or 200 total headers. The underlying host service forwards a maximum of 200 headers and at most 8 KB of header contents to AWS WAF .\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available headers normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.", + "markdownDescription": "What AWS WAF should do if the headers determined by your match scope are more numerous or larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request headers when they exceed 8 KB (8192 bytes) or 200 total headers. The underlying host service forwards a maximum of 200 headers and at most 8 KB of header contents to AWS WAF .\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available headers normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.", "title": "OversizeHandling", "type": "string" } diff --git a/schema_source/sam.schema.json b/schema_source/sam.schema.json index ef135734ba..169a78c7f1 100644 --- a/schema_source/sam.schema.json +++ b/schema_source/sam.schema.json @@ -2421,6 +2421,9 @@ "ProvisionedPollerConfig": { "$ref": "#/definitions/PassThroughProp" }, + "SchemaRegistryConfig": { + "$ref": "#/definitions/PassThroughProp" + }, "SourceAccessConfigurations": { "allOf": [ { @@ -3197,6 +3200,9 @@ "ProvisionedPollerConfig": { "$ref": "#/definitions/PassThroughProp" }, + "SchemaRegistryConfig": { + "$ref": "#/definitions/PassThroughProp" + }, "SourceAccessConfigurations": { "allOf": [ { diff --git a/tests/model/eventsources/test_msk_event_source.py b/tests/model/eventsources/test_msk_event_source.py index 03d8e8a30d..87467eaccd 100644 --- a/tests/model/eventsources/test_msk_event_source.py +++ b/tests/model/eventsources/test_msk_event_source.py @@ -1,5 +1,6 @@ from unittest import TestCase +from samtranslator.intrinsics.resolver import IntrinsicsResolver from samtranslator.model.eventsources.pull import MSK @@ -38,6 +39,98 @@ def test_get_policy_statements(self): self.assertEqual(policy_statements, expected_policy_document) + def test_get_policy_statements_with_glue_schema_registry(self): + self.kafka_event_source.SchemaRegistryConfig = { + "SchemaRegistryURI": "arn:aws:glue:us-west-2:123456789012:registry/example", + "EventRecordFormat": "JSON", + "SchemaValidationConfigs": [ + { + "Attribute": "KEY", + "ValidSchemas": ["schema1"], + } + ], + "AccessConfigs": [ + {"Type": "BASIC_AUTH", "URI": "SCHEMA_SECRET_URI"}, + {"Type": "SERVER_ROOT_CA_CERTIFICATE", "URI": "CA_SECRET_URI"}, + ], + } + + policy_statements = self.kafka_event_source.get_policy_statements(IntrinsicsResolver({})) + expected_policy_document = [ + { + "PolicyName": "MSKExecutionRolePolicy", + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "secretsmanager:GetSecretValue", + ], + "Effect": "Allow", + "Resource": "SCHEMA_SECRET_URI", + }, + { + "Action": [ + "secretsmanager:GetSecretValue", + ], + "Effect": "Allow", + "Resource": "CA_SECRET_URI", + }, + { + "Action": ["glue:GetRegistry"], + "Effect": "Allow", + "Resource": "arn:aws:glue:us-west-2:123456789012:registry/example", + }, + { + "Action": ["glue:GetSchemaVersion"], + "Effect": "Allow", + "Resource": [ + { + "Fn::Sub": "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:schema/example/*" + } + ], + }, + ] + }, + } + ] + + self.assertEqual(policy_statements, expected_policy_document) + + def test_get_policy_statements_with_non_glue_schema_registry(self): + self.kafka_event_source.SchemaRegistryConfig = { + "SchemaRegistryURI": "https://example.com/testRegistry", + "EventRecordFormat": "JSON", + "SchemaValidationConfigs": [ + { + "Attribute": "KEY", + "ValidSchemas": ["schema1"], + } + ], + "AccessConfigs": [ + {"Type": "SERVER_ROOT_CA_CERTIFICATE", "URI": "CA_SECRET_URI"}, + ], + } + + policy_statements = self.kafka_event_source.get_policy_statements(IntrinsicsResolver({})) + expected_policy_document = [ + { + "PolicyName": "MSKExecutionRolePolicy", + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "secretsmanager:GetSecretValue", + ], + "Effect": "Allow", + "Resource": "CA_SECRET_URI", + } + ] + }, + } + ] + + self.assertEqual(policy_statements, expected_policy_document) + def test_get_policy_statements_with_no_auth_mechanism(self): self.kafka_event_source.SourceAccessConfigurations = [] @@ -45,3 +138,49 @@ def test_get_policy_statements_with_no_auth_mechanism(self): expected_policy_document = None self.assertEqual(policy_statements, expected_policy_document) + + def test_validate_schema_registry_config_missing_required_fields(self): + self.kafka_event_source.SchemaRegistryConfig = { + "SchemaRegistryURI": "arn:aws:glue:us-west-2:123456789012:registry/example" + } + with self.assertRaises(Exception) as context: + self.kafka_event_source.validate_schema_registry_config() + self.assertTrue("Missing required field EventRecordFormat in SchemaRegistryConfig" in str(context.exception)) + + def test_validate_schema_registry_config_invalid_format(self): + self.kafka_event_source.SchemaRegistryConfig = { + "SchemaRegistryURI": "arn:aws:glue:us-west-2:123456789012:registry/example", + "EventRecordFormat": "INVALID", + "SchemaValidationConfigs": [], + } + with self.assertRaises(Exception) as context: + self.kafka_event_source.validate_schema_registry_config() + self.assertTrue( + "EventRecordFormat in SchemaRegistryConfig must be either 'JSON' or 'SOURCE'" in str(context.exception) + ) + + def test_validate_schema_registry_config_invalid_validation_configs(self): + self.kafka_event_source.SchemaRegistryConfig = { + "SchemaRegistryURI": "arn:aws:glue:us-west-2:123456789012:registry/example", + "EventRecordFormat": "JSON", + "SchemaValidationConfigs": "not-a-list", + } + with self.assertRaises(Exception) as context: + self.kafka_event_source.validate_schema_registry_config() + self.assertTrue("SchemaValidationConfigs must be a list" in str(context.exception)) + + def test_validate_schema_registry_config_when_access_config_is_empty(self): + self.kafka_event_source.SchemaRegistryConfig = { + "SchemaRegistryURI": "arn:aws:glue:us-west-2:123456789012:registry/example", + "EventRecordFormat": "JSON", + "SchemaValidationConfigs": [ + { + "Attribute": "KEY", + "ValidSchemas": ["schema1"], + } + ], + "AccessConfigs": "not- a list", + } + with self.assertRaises(Exception) as context: + self.kafka_event_source.validate_schema_registry_config() + self.assertTrue("AccessConfigs in SchemaRegistryConfig must be a list" in str(context.exception)) diff --git a/tests/model/eventsources/test_self_managed_kafka_event_source.py b/tests/model/eventsources/test_self_managed_kafka_event_source.py index 2681fae80f..4a2dc6f15e 100644 --- a/tests/model/eventsources/test_self_managed_kafka_event_source.py +++ b/tests/model/eventsources/test_self_managed_kafka_event_source.py @@ -1,6 +1,7 @@ from unittest import TestCase from parameterized import parameterized +from samtranslator.intrinsics.resolver import IntrinsicsResolver from samtranslator.model.eventsources.pull import SelfManagedKafka from samtranslator.model.exceptions import InvalidEventException @@ -321,3 +322,154 @@ def test_must_validate_secrets_manager_kms_key_id(self, kms_key_id_value): with self.assertRaises(InvalidEventException) as error: self.kafka_event_source.get_policy_statements() self.assertEqual(error_message, str(error.exception)) + + def test_validate_schema_registry_config_missing_required_fields(self): + self.kafka_event_source.SourceAccessConfigurations = [ + {"Type": "SASL_SCRAM_256_AUTH", "URI": "SECRET_URI"}, + {"Type": "VPC_SUBNET", "URI": "SECRET_URI"}, + {"Type": "VPC_SECURITY_GROUP", "URI": "SECRET_URI"}, + ] + self.kafka_event_source.Topics = ["Topics"] + self.kafka_event_source.KafkaBootstrapServers = ["endpoint1", "endpoint2"] + self.kafka_event_source.SchemaRegistryConfig = { + "SchemaRegistryURI": "arn:aws:glue:us-west-2:123456789012:registry/example" + } + with self.assertRaises(InvalidEventException) as context: + self.kafka_event_source.get_policy_statements(IntrinsicsResolver({})) + self.assertTrue("Missing required field EventRecordFormat in SchemaRegistryConfig" in str(context.exception)) + + def test_validate_schema_registry_config_invalid_format(self): + self.kafka_event_source.SourceAccessConfigurations = [ + {"Type": "SASL_SCRAM_256_AUTH", "URI": "SECRET_URI"}, + {"Type": "VPC_SUBNET", "URI": "SECRET_URI"}, + {"Type": "VPC_SECURITY_GROUP", "URI": "SECRET_URI"}, + ] + self.kafka_event_source.Topics = ["Topics"] + self.kafka_event_source.KafkaBootstrapServers = ["endpoint1", "endpoint2"] + self.kafka_event_source.SchemaRegistryConfig = { + "SchemaRegistryURI": "arn:aws:glue:us-west-2:123456789012:registry/example", + "EventRecordFormat": "INVALID", + "SchemaValidationConfigs": [], + } + with self.assertRaises(InvalidEventException) as context: + self.kafka_event_source.get_policy_statements(IntrinsicsResolver({})) + self.assertTrue( + "EventRecordFormat in SchemaRegistryConfig must be either 'JSON' or 'SOURCE'" in str(context.exception) + ) + + def test_validate_schema_registry_config_invalid_validation_configs(self): + self.kafka_event_source.SourceAccessConfigurations = [ + {"Type": "SASL_SCRAM_256_AUTH", "URI": "SECRET_URI"}, + {"Type": "VPC_SUBNET", "URI": "SECRET_URI"}, + {"Type": "VPC_SECURITY_GROUP", "URI": "SECRET_URI"}, + ] + self.kafka_event_source.Topics = ["Topics"] + self.kafka_event_source.KafkaBootstrapServers = ["endpoint1", "endpoint2"] + self.kafka_event_source.SchemaRegistryConfig = { + "SchemaRegistryURI": "arn:aws:glue:us-west-2:123456789012:registry/example", + "EventRecordFormat": "JSON", + "SchemaValidationConfigs": "not-a-list", + } + with self.assertRaises(InvalidEventException) as context: + self.kafka_event_source.get_policy_statements(IntrinsicsResolver({})) + self.assertTrue("SchemaValidationConfigs must be a list" in str(context.exception)) + + def test_get_policy_statements_with_schema_registry(self): + self.kafka_event_source.SourceAccessConfigurations = [ + {"Type": "BASIC_AUTH", "URI": "SECRET_URI"}, + {"Type": "VPC_SUBNET", "URI": "SECRET_URI"}, + {"Type": "VPC_SECURITY_GROUP", "URI": "SECRET_URI"}, + ] + self.kafka_event_source.Topics = ["Topics"] + self.kafka_event_source.KafkaBootstrapServers = ["endpoint1", "endpoint2"] + self.kafka_event_source.SchemaRegistryConfig = { + "SchemaRegistryURI": "arn:aws:glue:us-west-2:123456789012:registry/example", + "EventRecordFormat": "JSON", + "SchemaValidationConfigs": [{"Attribute": "KEY"}], + "AccessConfigs": [{"Type": "BASIC_AUTH", "URI": "BASIC_AUTH_URI"}], + } + + policy_statements = self.kafka_event_source.get_policy_statements(IntrinsicsResolver({})) + expected_statements = [ + {"Action": ["secretsmanager:GetSecretValue"], "Effect": "Allow", "Resource": "SECRET_URI"}, + { + "Action": [ + "ec2:CreateNetworkInterface", + "ec2:DescribeNetworkInterfaces", + "ec2:DeleteNetworkInterface", + "ec2:DescribeVpcs", + "ec2:DescribeSubnets", + "ec2:DescribeSecurityGroups", + ], + "Effect": "Allow", + "Resource": "*", + }, + {"Action": ["secretsmanager:GetSecretValue"], "Effect": "Allow", "Resource": "BASIC_AUTH_URI"}, + { + "Action": ["glue:GetRegistry"], + "Effect": "Allow", + "Resource": "arn:aws:glue:us-west-2:123456789012:registry/example", + }, + { + "Action": ["glue:GetSchemaVersion"], + "Effect": "Allow", + "Resource": [ + {"Fn::Sub": "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:schema/example/*"} + ], + }, + ] + self.assertEqual(len(policy_statements), 1) + self.assertEqual(len(policy_statements[0]["PolicyDocument"]["Statement"]), len(expected_statements)) + for statement in expected_statements: + self.assertIn(statement, policy_statements[0]["PolicyDocument"]["Statement"]) + + def test_get_policy_statements_with_non_glue_schema_registry(self): + self.kafka_event_source.SourceAccessConfigurations = [ + {"Type": "BASIC_AUTH", "URI": "SECRET_URI"}, + {"Type": "VPC_SUBNET", "URI": "SECRET_URI"}, + {"Type": "VPC_SECURITY_GROUP", "URI": "SECRET_URI"}, + ] + self.kafka_event_source.Topics = ["Topics"] + self.kafka_event_source.KafkaBootstrapServers = ["endpoint1", "endpoint2"] + self.kafka_event_source.SchemaRegistryConfig = { + "SchemaRegistryURI": "https://example.com/testRegistry", + "EventRecordFormat": "JSON", + "SchemaValidationConfigs": [{"Attribute": "KEY"}], + "AccessConfigs": [ + {"Type": "SERVER_ROOT_CA_CERTIFICATE", "URI": "CA_SECRET_URI"}, + ], + } + + policy_statements = self.kafka_event_source.get_policy_statements(IntrinsicsResolver({})) + expected_statements = [ + { + "Action": [ + "secretsmanager:GetSecretValue", + ], + "Effect": "Allow", + "Resource": "SECRET_URI", + }, + { + "Action": [ + "ec2:CreateNetworkInterface", + "ec2:DescribeNetworkInterfaces", + "ec2:DeleteNetworkInterface", + "ec2:DescribeVpcs", + "ec2:DescribeSubnets", + "ec2:DescribeSecurityGroups", + ], + "Effect": "Allow", + "Resource": "*", + }, + { + "Action": [ + "secretsmanager:GetSecretValue", + ], + "Effect": "Allow", + "Resource": "CA_SECRET_URI", + }, + ] + + self.assertEqual(len(policy_statements[0]["PolicyDocument"]["Statement"]), len(expected_statements)) + for statement in expected_statements: + self.assertIn(statement, policy_statements[0]["PolicyDocument"]["Statement"]) diff --git a/tests/translator/input/cognito_template_with_new_properties.yaml b/tests/translator/input/cognito_template_with_new_properties.yaml new file mode 100644 index 0000000000..cdfb89112b --- /dev/null +++ b/tests/translator/input/cognito_template_with_new_properties.yaml @@ -0,0 +1,11 @@ +Transform: AWS::Serverless-2016-10-31 +Resources: + MyUserPool: + Type: AWS::Cognito::UserPool + Properties: + UserPoolTier: PLUS + UserPoolName: MyUserPool + EmailAuthenticationMessage: Your verification code is {####} + EmailAuthenticationSubject: Your verification code + WebAuthnRelyingPartyID: id + WebAuthnUserVerification: required diff --git a/tests/translator/input/error_invalid_schema_registry_config_for_kafka.yaml b/tests/translator/input/error_invalid_schema_registry_config_for_kafka.yaml new file mode 100644 index 0000000000..dcef734328 --- /dev/null +++ b/tests/translator/input/error_invalid_schema_registry_config_for_kafka.yaml @@ -0,0 +1,67 @@ +AWSTemplateFormatVersion: '2010-09-09' +Parameters: {} +Resources: + MSKFunctionWithoutSchemaValidationConfigs: + Type: AWS::Serverless::Function + Properties: + CodeUri: s3://sam-demo-bucket/kafka.zip + Handler: index.kafka_handler + Runtime: python3.9 + Events: + MyKafkaCluster: + Type: MSK + Properties: + Stream: !Sub arn:aws:kafka:${AWS::Region}:012345678901:cluster/mycluster/6cc0432b-8618-4f44-bccc-e1fbd8fb7c4d-2 + StartingPosition: LATEST + SourceAccessConfigurations: + - Type: SASL_SCRAM_512_AUTH + URI: arn:aws:secretsmanager:us-west-2:123456789012:secret:my-path/my-secret-name-1a2b3c + Topics: + - abcd + SchemaRegistryConfig: + SchemaRegistryURI: https://example.com/registry + EventRecordFormat: JSON + MSKFunctionWithoutEventRecordFormat: + Type: AWS::Serverless::Function + Properties: + CodeUri: s3://sam-demo-bucket/kafka.zip + Handler: index.kafka_handler + Runtime: python3.9 + Events: + MyKafkaCluster: + Type: MSK + Properties: + Stream: !Sub arn:aws:kafka:${AWS::Region}:012345678901:cluster/mycluster/6cc0432b-8618-4f44-bccc-e1fbd8fb7c4d-2 + StartingPosition: LATEST + SourceAccessConfigurations: + - Type: SASL_SCRAM_512_AUTH + URI: arn:aws:secretsmanager:us-west-2:123456789012:secret:my-path/my-secret-name-1a2b3c + Topics: + - abcd + SchemaRegistryConfig: + SchemaRegistryURI: https://example.com/registry + SchemaValidationConfigs: + - Attribute: KEY + - Attribute: VALUE + MSKFunctionWithoutSchemaRegistryURI: + Type: AWS::Serverless::Function + Properties: + CodeUri: s3://sam-demo-bucket/kafka.zip + Handler: index.kafka_handler + Runtime: python3.9 + Events: + MyKafkaCluster: + Type: MSK + Properties: + Stream: !Sub arn:aws:kafka:${AWS::Region}:012345678901:cluster/mycluster/6cc0432b-8618-4f44-bccc-e1fbd8fb7c4d-2 + StartingPosition: LATEST + SourceAccessConfigurations: + - Type: SASL_SCRAM_512_AUTH + URI: arn:aws:secretsmanager:us-west-2:123456789012:secret:my-path/my-secret-name-1a2b3c + Topics: + - abcd + SchemaRegistryConfig: + SchemaValidationConfigs: + - Attribute: KEY + - Attribute: VALUE + EventRecordFormat: JSON diff --git a/tests/translator/input/error_invalid_schema_registry_config_for_self_managed_kafka.yaml b/tests/translator/input/error_invalid_schema_registry_config_for_self_managed_kafka.yaml new file mode 100644 index 0000000000..a0c0d68a16 --- /dev/null +++ b/tests/translator/input/error_invalid_schema_registry_config_for_self_managed_kafka.yaml @@ -0,0 +1,85 @@ +AWSTemplateFormatVersion: '2010-09-09' +Parameters: {} +Resources: + KafkaFunctionWithoutSchemaValidationConfigs: + Type: AWS::Serverless::Function + Properties: + CodeUri: s3://sam-demo-bucket/kafka.zip + Handler: index.kafka_handler + Runtime: python3.9 + Events: + MyKafkaCluster: + Type: SelfManagedKafka + Properties: + StartingPosition: LATEST + KafkaBootstrapServers: + - abc.xyz.com:9092 + - 123.45.67.89:9096 + SourceAccessConfigurations: + - Type: SASL_SCRAM_512_AUTH + URI: arn:aws:secretsmanager:us-west-2:123456789012:secret:my-path/my-secret-name-1a2b3c + - Type: VPC_SUBNET + URI: subnet:subnet-12345 + - Type: VPC_SECURITY_GROUP + URI: security_group:sg-67890 + Topics: + - abcd + SchemaRegistryConfig: + SchemaRegistryURI: https://example.com/registry + EventRecordFormat: JSON + KafkaFunctionWithoutEventRecordFormat: + Type: AWS::Serverless::Function + Properties: + CodeUri: s3://sam-demo-bucket/kafka.zip + Handler: index.kafka_handler + Runtime: python3.9 + Events: + MyKafkaCluster: + Type: SelfManagedKafka + Properties: + StartingPosition: LATEST + KafkaBootstrapServers: + - abc.xyz.com:9092 + - 123.45.67.89:9096 + SourceAccessConfigurations: + - Type: SASL_SCRAM_512_AUTH + URI: arn:aws:secretsmanager:us-west-2:123456789012:secret:my-path/my-secret-name-1a2b3c + - Type: VPC_SUBNET + URI: subnet:subnet-12345 + - Type: VPC_SECURITY_GROUP + URI: security_group:sg-67890 + Topics: + - abcd + SchemaRegistryConfig: + SchemaRegistryURI: https://example.com/registry + SchemaValidationConfigs: + - Attribute: KEY + - Attribute: VALUE + KafkaFunctionWithoutSchemaRegistryURI: + Type: AWS::Serverless::Function + Properties: + CodeUri: s3://sam-demo-bucket/kafka.zip + Handler: index.kafka_handler + Runtime: python3.9 + Events: + MyKafkaCluster: + Type: SelfManagedKafka + Properties: + StartingPosition: LATEST + KafkaBootstrapServers: + - abc.xyz.com:9092 + - 123.45.67.89:9096 + SourceAccessConfigurations: + - Type: SASL_SCRAM_512_AUTH + URI: arn:aws:secretsmanager:us-west-2:123456789012:secret:my-path/my-secret-name-1a2b3c + - Type: VPC_SUBNET + URI: subnet:subnet-12345 + - Type: VPC_SECURITY_GROUP + URI: security_group:sg-67890 + Topics: + - abcd + SchemaRegistryConfig: + SchemaValidationConfigs: + - Attribute: KEY + - Attribute: VALUE + EventRecordFormat: JSON diff --git a/tests/translator/input/function_with_msk_with_schema_registry_config.yaml b/tests/translator/input/function_with_msk_with_schema_registry_config.yaml new file mode 100644 index 0000000000..3fb4f1b812 --- /dev/null +++ b/tests/translator/input/function_with_msk_with_schema_registry_config.yaml @@ -0,0 +1,94 @@ +AWSTemplateFormatVersion: '2010-09-09' +Parameters: {} + +Resources: + MyMskStreamProcessorWithGlueSchemaAndIamAuth: + Type: AWS::Serverless::Function + Properties: + Runtime: nodejs12.x + Handler: index.handler + CodeUri: s3://sam-demo-bucket/kafka.zip + Events: + MyMskEvent: + Type: MSK + Properties: + StartingPosition: LATEST + Stream: !Sub arn:${AWS::Partition}:kafka:${AWS::Region}:012345678901:cluster/mycluster/6cc0432b-8618-4f44-bccc-e1fbd8fb7c4d-2 + Topics: + - MyDummyTestTopic + ConsumerGroupId: consumergroup1 + SchemaRegistryConfig: + SchemaRegistryURI: !Sub arn:${AWS::Partition}:glue:${AWS::Region}:012345678901:registry/registry1 + EventRecordFormat: JSON + SchemaValidationConfigs: + - Attribute: KEY + + MyMskStreamProcessorWithGlueSchemaAndBasicAuth: + Type: AWS::Serverless::Function + Properties: + Runtime: nodejs12.x + Handler: index.handler + CodeUri: s3://sam-demo-bucket/kafka.zip + Events: + MyMskEvent: + Type: MSK + Properties: + StartingPosition: LATEST + Stream: !Sub arn:${AWS::Partition}:kafka:${AWS::Region}:012345678901:cluster/mycluster/6cc0432b-8618-4f44-bccc-e1fbd8fb7c4d-2 + Topics: + - MyDummyTestTopic + ConsumerGroupId: consumergroup1 + SchemaRegistryConfig: + SchemaRegistryURI: !Sub arn:${AWS::Partition}:glue:${AWS::Region}:012345678901:registry/registry1 + EventRecordFormat: JSON + AccessConfigs: + - Type: BASIC_AUTH + URI: !Sub arn:${AWS::Partition}:secretsmanager:${AWS::Region}:123456789012:secret:my-path + SchemaValidationConfigs: + - Attribute: KEY + - Attribute: VALUE + + MyMskStreamProcessorWithConfluentSchemaAndBasicAuth: + Type: AWS::Serverless::Function + Properties: + Runtime: nodejs12.x + Handler: index.handler + CodeUri: s3://sam-demo-bucket/kafka.zip + Events: + MyMskEvent: + Type: MSK + Properties: + StartingPosition: LATEST + Stream: !Sub arn:${AWS::Partition}:kafka:${AWS::Region}:012345678901:cluster/mycluster/6cc0432b-8618-4f44-bccc-e1fbd8fb7c4d-2 + Topics: + - MyDummyTestTopic + ConsumerGroupId: consumergroup1 + SchemaRegistryConfig: + SchemaRegistryURI: https://example.com/registry + EventRecordFormat: JSON + AccessConfigs: + - Type: BASIC_AUTH + URI: !Sub arn:${AWS::Partition}:secretsmanager:${AWS::Region}:123456789012:secret:my-path + SchemaValidationConfigs: + - Attribute: KEY + - Attribute: VALUE + + MyMskStreamProcessorWithOnlySchemaRegistry: + Type: AWS::Serverless::Function + Properties: + Runtime: nodejs12.x + Handler: index.handler + CodeUri: s3://sam-demo-bucket/kafka.zip + Events: + MyMskEvent: + Type: MSK + Properties: + StartingPosition: LATEST + Stream: !Sub arn:${AWS::Partition}:kafka:${AWS::Region}:012345678901:cluster/mycluster/6cc0432b-8618-4f44-bccc-e1fbd8fb7c4d-2 + Topics: + - MyDummyTestTopic + SchemaRegistryConfig: + SchemaRegistryURI: !Sub arn:${AWS::Partition}:glue:${AWS::Region}:012345678901:registry/registry1 + EventRecordFormat: JSON + SchemaValidationConfigs: + - Attribute: KEY diff --git a/tests/translator/input/function_with_self_managed_kafka_and_schema_registry.yaml b/tests/translator/input/function_with_self_managed_kafka_and_schema_registry.yaml new file mode 100644 index 0000000000..4842e52815 --- /dev/null +++ b/tests/translator/input/function_with_self_managed_kafka_and_schema_registry.yaml @@ -0,0 +1,127 @@ +AWSTemplateFormatVersion: '2010-09-09' +Parameters: {} +Resources: + MyKafkaStreamProcessorWithGlueSchemaAndIamAuth: + Type: AWS::Serverless::Function + Properties: + CodeUri: s3://sam-demo-bucket/kafka.zip + Handler: index.kafka_handler + Runtime: python3.9 + Events: + MyKafkaCluster: + Type: SelfManagedKafka + Properties: + KafkaBootstrapServers: + - abc.xyz.com:9092 + - 123.45.67.89:9096 + Topics: + - Topic1 + SourceAccessConfigurations: + - Type: SASL_SCRAM_512_AUTH + URI: arn:aws:secretsmanager:us-west-2:123456789012:secret:my-path/my-secret-name-1a2b3c + - Type: VPC_SUBNET + URI: subnet:subnet-12345 + - Type: VPC_SECURITY_GROUP + URI: security_group:sg-67890 + ConsumerGroupId: consumergroup1 + SchemaRegistryConfig: + SchemaRegistryURI: !Sub arn:${AWS::Partition}:glue:${AWS::Region}:012345678901:registry/registry1 + EventRecordFormat: JSON + SchemaValidationConfigs: + - Attribute: KEY + + MyKafkaStreamProcessorWithGlueSchemaAndBasicAuth: + Type: AWS::Serverless::Function + Properties: + CodeUri: s3://sam-demo-bucket/kafka.zip + Handler: index.kafka_handler + Runtime: python3.9 + Events: + MyKafkaCluster: + Type: SelfManagedKafka + Properties: + KafkaBootstrapServers: + - abc.xyz.com:9092 + - 123.45.67.89:9096 + Topics: + - Topic1 + SourceAccessConfigurations: + - Type: SASL_SCRAM_512_AUTH + URI: arn:aws:secretsmanager:us-west-2:123456789012:secret:my-path/my-secret-name-1a2b3c + - Type: VPC_SUBNET + URI: subnet:subnet-12345 + - Type: VPC_SECURITY_GROUP + URI: security_group:sg-67890 + ConsumerGroupId: consumergroup1 + SchemaRegistryConfig: + SchemaRegistryURI: !Sub arn:${AWS::Partition}:glue:${AWS::Region}:012345678901:registry/registry1 + EventRecordFormat: JSON + AccessConfigs: + - Type: BASIC_AUTH + URI: !Sub arn:${AWS::Partition}:secretsmanager:${AWS::Region}:123456789012:secret:my-path + SchemaValidationConfigs: + - Attribute: KEY + + + MyKafkaStreamProcessorWithConfluentSchemaAndBasicAuth: + Type: AWS::Serverless::Function + Properties: + Runtime: nodejs12.x + Handler: index.handler + CodeUri: s3://sam-demo-bucket/kafka.zip + Events: + MyKafkaCluster: + Type: SelfManagedKafka + Properties: + StartingPosition: LATEST + KafkaBootstrapServers: + - abc.xyz.com:9092 + - 123.45.67.89:9096 + SourceAccessConfigurations: + - Type: SASL_SCRAM_512_AUTH + URI: arn:aws:secretsmanager:us-west-2:123456789012:secret:my-path/my-secret-name-1a2b3c + - Type: VPC_SUBNET + URI: subnet:subnet-12345 + - Type: VPC_SECURITY_GROUP + URI: security_group:sg-67890 + Topics: + - MyDummyTestTopic + ConsumerGroupId: consumergroup1 + SchemaRegistryConfig: + SchemaRegistryURI: https://example.com/registry + EventRecordFormat: JSON + AccessConfigs: + - Type: BASIC_AUTH + URI: !Sub arn:${AWS::Partition}:secretsmanager:${AWS::Region}:123456789012:secret:my-path + SchemaValidationConfigs: + - Attribute: KEY + - Attribute: VALUE + + MyMskStreamProcessorWithOnlySchemaRegistry: + Type: AWS::Serverless::Function + Properties: + Runtime: nodejs12.x + Handler: index.handler + CodeUri: s3://sam-demo-bucket/kafka.zip + Events: + MyKafkaCluster: + Type: SelfManagedKafka + Properties: + StartingPosition: LATEST + KafkaBootstrapServers: + - abc.xyz.com:9092 + - 123.45.67.89:9096 + SourceAccessConfigurations: + - Type: SASL_SCRAM_512_AUTH + URI: arn:aws:secretsmanager:us-west-2:123456789012:secret:my-path/my-secret-name-1a2b3c + - Type: VPC_SUBNET + URI: subnet:subnet-12345 + - Type: VPC_SECURITY_GROUP + URI: security_group:sg-67890 + Topics: + - MyDummyTestTopic + SchemaRegistryConfig: + SchemaRegistryURI: !Sub arn:${AWS::Partition}:glue:${AWS::Region}:012345678901:registry/registry1 + EventRecordFormat: JSON + SchemaValidationConfigs: + - Attribute: KEY diff --git a/tests/translator/output/aws-cn/cognito_template_with_new_properties.json b/tests/translator/output/aws-cn/cognito_template_with_new_properties.json new file mode 100644 index 0000000000..7869a8eda5 --- /dev/null +++ b/tests/translator/output/aws-cn/cognito_template_with_new_properties.json @@ -0,0 +1,15 @@ +{ + "Resources": { + "MyUserPool": { + "Properties": { + "EmailAuthenticationMessage": "Your verification code is {####}", + "EmailAuthenticationSubject": "Your verification code", + "UserPoolName": "MyUserPool", + "UserPoolTier": "PLUS", + "WebAuthnRelyingPartyID": "id", + "WebAuthnUserVerification": "required" + }, + "Type": "AWS::Cognito::UserPool" + } + } +} diff --git a/tests/translator/output/aws-cn/function_with_msk_with_schema_registry_config.json b/tests/translator/output/aws-cn/function_with_msk_with_schema_registry_config.json new file mode 100644 index 0000000000..49e4a12cd6 --- /dev/null +++ b/tests/translator/output/aws-cn/function_with_msk_with_schema_registry_config.json @@ -0,0 +1,471 @@ +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Parameters": {}, + "Resources": { + "MyMskStreamProcessorWithConfluentSchemaAndBasicAuth": { + "Properties": { + "Code": { + "S3Bucket": "sam-demo-bucket", + "S3Key": "kafka.zip" + }, + "Handler": "index.handler", + "Role": { + "Fn::GetAtt": [ + "MyMskStreamProcessorWithConfluentSchemaAndBasicAuthRole", + "Arn" + ] + }, + "Runtime": "nodejs12.x", + "Tags": [ + { + "Key": "lambda:createdBy", + "Value": "SAM" + } + ] + }, + "Type": "AWS::Lambda::Function" + }, + "MyMskStreamProcessorWithConfluentSchemaAndBasicAuthMyMskEvent": { + "Properties": { + "AmazonManagedKafkaEventSourceConfig": { + "ConsumerGroupId": "consumergroup1", + "SchemaRegistryConfig": { + "AccessConfigs": [ + { + "Type": "BASIC_AUTH", + "URI": { + "Fn::Sub": "arn:${AWS::Partition}:secretsmanager:${AWS::Region}:123456789012:secret:my-path" + } + } + ], + "EventRecordFormat": "JSON", + "SchemaRegistryURI": "https://example.com/registry", + "SchemaValidationConfigs": [ + { + "Attribute": "KEY" + }, + { + "Attribute": "VALUE" + } + ] + } + }, + "EventSourceArn": { + "Fn::Sub": "arn:${AWS::Partition}:kafka:${AWS::Region}:012345678901:cluster/mycluster/6cc0432b-8618-4f44-bccc-e1fbd8fb7c4d-2" + }, + "FunctionName": { + "Ref": "MyMskStreamProcessorWithConfluentSchemaAndBasicAuth" + }, + "StartingPosition": "LATEST", + "Topics": [ + "MyDummyTestTopic" + ] + }, + "Type": "AWS::Lambda::EventSourceMapping" + }, + "MyMskStreamProcessorWithConfluentSchemaAndBasicAuthRole": { + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", + "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaMSKExecutionRole" + ], + "Policies": [ + { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "secretsmanager:GetSecretValue" + ], + "Effect": "Allow", + "Resource": { + "Fn::Sub": "arn:${AWS::Partition}:secretsmanager:${AWS::Region}:123456789012:secret:my-path" + } + } + ] + }, + "PolicyName": "MSKExecutionRolePolicy" + } + ], + "Tags": [ + { + "Key": "lambda:createdBy", + "Value": "SAM" + } + ] + }, + "Type": "AWS::IAM::Role" + }, + "MyMskStreamProcessorWithGlueSchemaAndBasicAuth": { + "Properties": { + "Code": { + "S3Bucket": "sam-demo-bucket", + "S3Key": "kafka.zip" + }, + "Handler": "index.handler", + "Role": { + "Fn::GetAtt": [ + "MyMskStreamProcessorWithGlueSchemaAndBasicAuthRole", + "Arn" + ] + }, + "Runtime": "nodejs12.x", + "Tags": [ + { + "Key": "lambda:createdBy", + "Value": "SAM" + } + ] + }, + "Type": "AWS::Lambda::Function" + }, + "MyMskStreamProcessorWithGlueSchemaAndBasicAuthMyMskEvent": { + "Properties": { + "AmazonManagedKafkaEventSourceConfig": { + "ConsumerGroupId": "consumergroup1", + "SchemaRegistryConfig": { + "AccessConfigs": [ + { + "Type": "BASIC_AUTH", + "URI": { + "Fn::Sub": "arn:${AWS::Partition}:secretsmanager:${AWS::Region}:123456789012:secret:my-path" + } + } + ], + "EventRecordFormat": "JSON", + "SchemaRegistryURI": { + "Fn::Sub": "arn:${AWS::Partition}:glue:${AWS::Region}:012345678901:registry/registry1" + }, + "SchemaValidationConfigs": [ + { + "Attribute": "KEY" + }, + { + "Attribute": "VALUE" + } + ] + } + }, + "EventSourceArn": { + "Fn::Sub": "arn:${AWS::Partition}:kafka:${AWS::Region}:012345678901:cluster/mycluster/6cc0432b-8618-4f44-bccc-e1fbd8fb7c4d-2" + }, + "FunctionName": { + "Ref": "MyMskStreamProcessorWithGlueSchemaAndBasicAuth" + }, + "StartingPosition": "LATEST", + "Topics": [ + "MyDummyTestTopic" + ] + }, + "Type": "AWS::Lambda::EventSourceMapping" + }, + "MyMskStreamProcessorWithGlueSchemaAndBasicAuthRole": { + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", + "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaMSKExecutionRole" + ], + "Policies": [ + { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "secretsmanager:GetSecretValue" + ], + "Effect": "Allow", + "Resource": { + "Fn::Sub": "arn:${AWS::Partition}:secretsmanager:${AWS::Region}:123456789012:secret:my-path" + } + }, + { + "Action": [ + "glue:GetRegistry" + ], + "Effect": "Allow", + "Resource": { + "Fn::Sub": "arn:${AWS::Partition}:glue:${AWS::Region}:012345678901:registry/registry1" + } + }, + { + "Action": [ + "glue:GetSchemaVersion" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::Sub": "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:schema/registry1/*" + } + ] + } + ] + }, + "PolicyName": "MSKExecutionRolePolicy" + } + ], + "Tags": [ + { + "Key": "lambda:createdBy", + "Value": "SAM" + } + ] + }, + "Type": "AWS::IAM::Role" + }, + "MyMskStreamProcessorWithGlueSchemaAndIamAuth": { + "Properties": { + "Code": { + "S3Bucket": "sam-demo-bucket", + "S3Key": "kafka.zip" + }, + "Handler": "index.handler", + "Role": { + "Fn::GetAtt": [ + "MyMskStreamProcessorWithGlueSchemaAndIamAuthRole", + "Arn" + ] + }, + "Runtime": "nodejs12.x", + "Tags": [ + { + "Key": "lambda:createdBy", + "Value": "SAM" + } + ] + }, + "Type": "AWS::Lambda::Function" + }, + "MyMskStreamProcessorWithGlueSchemaAndIamAuthMyMskEvent": { + "Properties": { + "AmazonManagedKafkaEventSourceConfig": { + "ConsumerGroupId": "consumergroup1", + "SchemaRegistryConfig": { + "EventRecordFormat": "JSON", + "SchemaRegistryURI": { + "Fn::Sub": "arn:${AWS::Partition}:glue:${AWS::Region}:012345678901:registry/registry1" + }, + "SchemaValidationConfigs": [ + { + "Attribute": "KEY" + } + ] + } + }, + "EventSourceArn": { + "Fn::Sub": "arn:${AWS::Partition}:kafka:${AWS::Region}:012345678901:cluster/mycluster/6cc0432b-8618-4f44-bccc-e1fbd8fb7c4d-2" + }, + "FunctionName": { + "Ref": "MyMskStreamProcessorWithGlueSchemaAndIamAuth" + }, + "StartingPosition": "LATEST", + "Topics": [ + "MyDummyTestTopic" + ] + }, + "Type": "AWS::Lambda::EventSourceMapping" + }, + "MyMskStreamProcessorWithGlueSchemaAndIamAuthRole": { + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", + "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaMSKExecutionRole" + ], + "Policies": [ + { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "glue:GetRegistry" + ], + "Effect": "Allow", + "Resource": { + "Fn::Sub": "arn:${AWS::Partition}:glue:${AWS::Region}:012345678901:registry/registry1" + } + }, + { + "Action": [ + "glue:GetSchemaVersion" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::Sub": "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:schema/registry1/*" + } + ] + } + ] + }, + "PolicyName": "MSKExecutionRolePolicy" + } + ], + "Tags": [ + { + "Key": "lambda:createdBy", + "Value": "SAM" + } + ] + }, + "Type": "AWS::IAM::Role" + }, + "MyMskStreamProcessorWithOnlySchemaRegistry": { + "Properties": { + "Code": { + "S3Bucket": "sam-demo-bucket", + "S3Key": "kafka.zip" + }, + "Handler": "index.handler", + "Role": { + "Fn::GetAtt": [ + "MyMskStreamProcessorWithOnlySchemaRegistryRole", + "Arn" + ] + }, + "Runtime": "nodejs12.x", + "Tags": [ + { + "Key": "lambda:createdBy", + "Value": "SAM" + } + ] + }, + "Type": "AWS::Lambda::Function" + }, + "MyMskStreamProcessorWithOnlySchemaRegistryMyMskEvent": { + "Properties": { + "AmazonManagedKafkaEventSourceConfig": { + "SchemaRegistryConfig": { + "EventRecordFormat": "JSON", + "SchemaRegistryURI": { + "Fn::Sub": "arn:${AWS::Partition}:glue:${AWS::Region}:012345678901:registry/registry1" + }, + "SchemaValidationConfigs": [ + { + "Attribute": "KEY" + } + ] + } + }, + "EventSourceArn": { + "Fn::Sub": "arn:${AWS::Partition}:kafka:${AWS::Region}:012345678901:cluster/mycluster/6cc0432b-8618-4f44-bccc-e1fbd8fb7c4d-2" + }, + "FunctionName": { + "Ref": "MyMskStreamProcessorWithOnlySchemaRegistry" + }, + "StartingPosition": "LATEST", + "Topics": [ + "MyDummyTestTopic" + ] + }, + "Type": "AWS::Lambda::EventSourceMapping" + }, + "MyMskStreamProcessorWithOnlySchemaRegistryRole": { + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", + "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaMSKExecutionRole" + ], + "Policies": [ + { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "glue:GetRegistry" + ], + "Effect": "Allow", + "Resource": { + "Fn::Sub": "arn:${AWS::Partition}:glue:${AWS::Region}:012345678901:registry/registry1" + } + }, + { + "Action": [ + "glue:GetSchemaVersion" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::Sub": "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:schema/registry1/*" + } + ] + } + ] + }, + "PolicyName": "MSKExecutionRolePolicy" + } + ], + "Tags": [ + { + "Key": "lambda:createdBy", + "Value": "SAM" + } + ] + }, + "Type": "AWS::IAM::Role" + } + } +} diff --git a/tests/translator/output/aws-cn/function_with_self_managed_kafka_and_schema_registry.json b/tests/translator/output/aws-cn/function_with_self_managed_kafka_and_schema_registry.json new file mode 100644 index 0000000000..25e5c57cab --- /dev/null +++ b/tests/translator/output/aws-cn/function_with_self_managed_kafka_and_schema_registry.json @@ -0,0 +1,618 @@ +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Parameters": {}, + "Resources": { + "MyKafkaStreamProcessorWithConfluentSchemaAndBasicAuth": { + "Properties": { + "Code": { + "S3Bucket": "sam-demo-bucket", + "S3Key": "kafka.zip" + }, + "Handler": "index.handler", + "Role": { + "Fn::GetAtt": [ + "MyKafkaStreamProcessorWithConfluentSchemaAndBasicAuthRole", + "Arn" + ] + }, + "Runtime": "nodejs12.x", + "Tags": [ + { + "Key": "lambda:createdBy", + "Value": "SAM" + } + ] + }, + "Type": "AWS::Lambda::Function" + }, + "MyKafkaStreamProcessorWithConfluentSchemaAndBasicAuthMyKafkaCluster": { + "Properties": { + "FunctionName": { + "Ref": "MyKafkaStreamProcessorWithConfluentSchemaAndBasicAuth" + }, + "SelfManagedEventSource": { + "Endpoints": { + "KafkaBootstrapServers": [ + "abc.xyz.com:9092", + "123.45.67.89:9096" + ] + } + }, + "SelfManagedKafkaEventSourceConfig": { + "ConsumerGroupId": "consumergroup1", + "SchemaRegistryConfig": { + "AccessConfigs": [ + { + "Type": "BASIC_AUTH", + "URI": { + "Fn::Sub": "arn:${AWS::Partition}:secretsmanager:${AWS::Region}:123456789012:secret:my-path" + } + } + ], + "EventRecordFormat": "JSON", + "SchemaRegistryURI": "https://example.com/registry", + "SchemaValidationConfigs": [ + { + "Attribute": "KEY" + }, + { + "Attribute": "VALUE" + } + ] + } + }, + "SourceAccessConfigurations": [ + { + "Type": "SASL_SCRAM_512_AUTH", + "URI": "arn:aws:secretsmanager:us-west-2:123456789012:secret:my-path/my-secret-name-1a2b3c" + }, + { + "Type": "VPC_SUBNET", + "URI": "subnet:subnet-12345" + }, + { + "Type": "VPC_SECURITY_GROUP", + "URI": "security_group:sg-67890" + } + ], + "StartingPosition": "LATEST", + "Topics": [ + "MyDummyTestTopic" + ] + }, + "Type": "AWS::Lambda::EventSourceMapping" + }, + "MyKafkaStreamProcessorWithConfluentSchemaAndBasicAuthRole": { + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ], + "Policies": [ + { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "secretsmanager:GetSecretValue" + ], + "Effect": "Allow", + "Resource": "arn:aws:secretsmanager:us-west-2:123456789012:secret:my-path/my-secret-name-1a2b3c" + }, + { + "Action": [ + "ec2:CreateNetworkInterface", + "ec2:DescribeNetworkInterfaces", + "ec2:DeleteNetworkInterface", + "ec2:DescribeVpcs", + "ec2:DescribeSubnets", + "ec2:DescribeSecurityGroups" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "secretsmanager:GetSecretValue" + ], + "Effect": "Allow", + "Resource": { + "Fn::Sub": "arn:${AWS::Partition}:secretsmanager:${AWS::Region}:123456789012:secret:my-path" + } + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "SelfManagedKafkaExecutionRolePolicy" + } + ], + "Tags": [ + { + "Key": "lambda:createdBy", + "Value": "SAM" + } + ] + }, + "Type": "AWS::IAM::Role" + }, + "MyKafkaStreamProcessorWithGlueSchemaAndBasicAuth": { + "Properties": { + "Code": { + "S3Bucket": "sam-demo-bucket", + "S3Key": "kafka.zip" + }, + "Handler": "index.kafka_handler", + "Role": { + "Fn::GetAtt": [ + "MyKafkaStreamProcessorWithGlueSchemaAndBasicAuthRole", + "Arn" + ] + }, + "Runtime": "python3.9", + "Tags": [ + { + "Key": "lambda:createdBy", + "Value": "SAM" + } + ] + }, + "Type": "AWS::Lambda::Function" + }, + "MyKafkaStreamProcessorWithGlueSchemaAndBasicAuthMyKafkaCluster": { + "Properties": { + "FunctionName": { + "Ref": "MyKafkaStreamProcessorWithGlueSchemaAndBasicAuth" + }, + "SelfManagedEventSource": { + "Endpoints": { + "KafkaBootstrapServers": [ + "abc.xyz.com:9092", + "123.45.67.89:9096" + ] + } + }, + "SelfManagedKafkaEventSourceConfig": { + "ConsumerGroupId": "consumergroup1", + "SchemaRegistryConfig": { + "AccessConfigs": [ + { + "Type": "BASIC_AUTH", + "URI": { + "Fn::Sub": "arn:${AWS::Partition}:secretsmanager:${AWS::Region}:123456789012:secret:my-path" + } + } + ], + "EventRecordFormat": "JSON", + "SchemaRegistryURI": { + "Fn::Sub": "arn:${AWS::Partition}:glue:${AWS::Region}:012345678901:registry/registry1" + }, + "SchemaValidationConfigs": [ + { + "Attribute": "KEY" + } + ] + } + }, + "SourceAccessConfigurations": [ + { + "Type": "SASL_SCRAM_512_AUTH", + "URI": "arn:aws:secretsmanager:us-west-2:123456789012:secret:my-path/my-secret-name-1a2b3c" + }, + { + "Type": "VPC_SUBNET", + "URI": "subnet:subnet-12345" + }, + { + "Type": "VPC_SECURITY_GROUP", + "URI": "security_group:sg-67890" + } + ], + "Topics": [ + "Topic1" + ] + }, + "Type": "AWS::Lambda::EventSourceMapping" + }, + "MyKafkaStreamProcessorWithGlueSchemaAndBasicAuthRole": { + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ], + "Policies": [ + { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "secretsmanager:GetSecretValue" + ], + "Effect": "Allow", + "Resource": "arn:aws:secretsmanager:us-west-2:123456789012:secret:my-path/my-secret-name-1a2b3c" + }, + { + "Action": [ + "ec2:CreateNetworkInterface", + "ec2:DescribeNetworkInterfaces", + "ec2:DeleteNetworkInterface", + "ec2:DescribeVpcs", + "ec2:DescribeSubnets", + "ec2:DescribeSecurityGroups" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "secretsmanager:GetSecretValue" + ], + "Effect": "Allow", + "Resource": { + "Fn::Sub": "arn:${AWS::Partition}:secretsmanager:${AWS::Region}:123456789012:secret:my-path" + } + }, + { + "Action": [ + "glue:GetRegistry" + ], + "Effect": "Allow", + "Resource": { + "Fn::Sub": "arn:${AWS::Partition}:glue:${AWS::Region}:012345678901:registry/registry1" + } + }, + { + "Action": [ + "glue:GetSchemaVersion" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::Sub": "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:schema/registry1/*" + } + ] + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "SelfManagedKafkaExecutionRolePolicy" + } + ], + "Tags": [ + { + "Key": "lambda:createdBy", + "Value": "SAM" + } + ] + }, + "Type": "AWS::IAM::Role" + }, + "MyKafkaStreamProcessorWithGlueSchemaAndIamAuth": { + "Properties": { + "Code": { + "S3Bucket": "sam-demo-bucket", + "S3Key": "kafka.zip" + }, + "Handler": "index.kafka_handler", + "Role": { + "Fn::GetAtt": [ + "MyKafkaStreamProcessorWithGlueSchemaAndIamAuthRole", + "Arn" + ] + }, + "Runtime": "python3.9", + "Tags": [ + { + "Key": "lambda:createdBy", + "Value": "SAM" + } + ] + }, + "Type": "AWS::Lambda::Function" + }, + "MyKafkaStreamProcessorWithGlueSchemaAndIamAuthMyKafkaCluster": { + "Properties": { + "FunctionName": { + "Ref": "MyKafkaStreamProcessorWithGlueSchemaAndIamAuth" + }, + "SelfManagedEventSource": { + "Endpoints": { + "KafkaBootstrapServers": [ + "abc.xyz.com:9092", + "123.45.67.89:9096" + ] + } + }, + "SelfManagedKafkaEventSourceConfig": { + "ConsumerGroupId": "consumergroup1", + "SchemaRegistryConfig": { + "EventRecordFormat": "JSON", + "SchemaRegistryURI": { + "Fn::Sub": "arn:${AWS::Partition}:glue:${AWS::Region}:012345678901:registry/registry1" + }, + "SchemaValidationConfigs": [ + { + "Attribute": "KEY" + } + ] + } + }, + "SourceAccessConfigurations": [ + { + "Type": "SASL_SCRAM_512_AUTH", + "URI": "arn:aws:secretsmanager:us-west-2:123456789012:secret:my-path/my-secret-name-1a2b3c" + }, + { + "Type": "VPC_SUBNET", + "URI": "subnet:subnet-12345" + }, + { + "Type": "VPC_SECURITY_GROUP", + "URI": "security_group:sg-67890" + } + ], + "Topics": [ + "Topic1" + ] + }, + "Type": "AWS::Lambda::EventSourceMapping" + }, + "MyKafkaStreamProcessorWithGlueSchemaAndIamAuthRole": { + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ], + "Policies": [ + { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "secretsmanager:GetSecretValue" + ], + "Effect": "Allow", + "Resource": "arn:aws:secretsmanager:us-west-2:123456789012:secret:my-path/my-secret-name-1a2b3c" + }, + { + "Action": [ + "ec2:CreateNetworkInterface", + "ec2:DescribeNetworkInterfaces", + "ec2:DeleteNetworkInterface", + "ec2:DescribeVpcs", + "ec2:DescribeSubnets", + "ec2:DescribeSecurityGroups" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "glue:GetRegistry" + ], + "Effect": "Allow", + "Resource": { + "Fn::Sub": "arn:${AWS::Partition}:glue:${AWS::Region}:012345678901:registry/registry1" + } + }, + { + "Action": [ + "glue:GetSchemaVersion" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::Sub": "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:schema/registry1/*" + } + ] + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "SelfManagedKafkaExecutionRolePolicy" + } + ], + "Tags": [ + { + "Key": "lambda:createdBy", + "Value": "SAM" + } + ] + }, + "Type": "AWS::IAM::Role" + }, + "MyMskStreamProcessorWithOnlySchemaRegistry": { + "Properties": { + "Code": { + "S3Bucket": "sam-demo-bucket", + "S3Key": "kafka.zip" + }, + "Handler": "index.handler", + "Role": { + "Fn::GetAtt": [ + "MyMskStreamProcessorWithOnlySchemaRegistryRole", + "Arn" + ] + }, + "Runtime": "nodejs12.x", + "Tags": [ + { + "Key": "lambda:createdBy", + "Value": "SAM" + } + ] + }, + "Type": "AWS::Lambda::Function" + }, + "MyMskStreamProcessorWithOnlySchemaRegistryMyKafkaCluster": { + "Properties": { + "FunctionName": { + "Ref": "MyMskStreamProcessorWithOnlySchemaRegistry" + }, + "SelfManagedEventSource": { + "Endpoints": { + "KafkaBootstrapServers": [ + "abc.xyz.com:9092", + "123.45.67.89:9096" + ] + } + }, + "SelfManagedKafkaEventSourceConfig": { + "SchemaRegistryConfig": { + "EventRecordFormat": "JSON", + "SchemaRegistryURI": { + "Fn::Sub": "arn:${AWS::Partition}:glue:${AWS::Region}:012345678901:registry/registry1" + }, + "SchemaValidationConfigs": [ + { + "Attribute": "KEY" + } + ] + } + }, + "SourceAccessConfigurations": [ + { + "Type": "SASL_SCRAM_512_AUTH", + "URI": "arn:aws:secretsmanager:us-west-2:123456789012:secret:my-path/my-secret-name-1a2b3c" + }, + { + "Type": "VPC_SUBNET", + "URI": "subnet:subnet-12345" + }, + { + "Type": "VPC_SECURITY_GROUP", + "URI": "security_group:sg-67890" + } + ], + "StartingPosition": "LATEST", + "Topics": [ + "MyDummyTestTopic" + ] + }, + "Type": "AWS::Lambda::EventSourceMapping" + }, + "MyMskStreamProcessorWithOnlySchemaRegistryRole": { + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ], + "Policies": [ + { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "secretsmanager:GetSecretValue" + ], + "Effect": "Allow", + "Resource": "arn:aws:secretsmanager:us-west-2:123456789012:secret:my-path/my-secret-name-1a2b3c" + }, + { + "Action": [ + "ec2:CreateNetworkInterface", + "ec2:DescribeNetworkInterfaces", + "ec2:DeleteNetworkInterface", + "ec2:DescribeVpcs", + "ec2:DescribeSubnets", + "ec2:DescribeSecurityGroups" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "glue:GetRegistry" + ], + "Effect": "Allow", + "Resource": { + "Fn::Sub": "arn:${AWS::Partition}:glue:${AWS::Region}:012345678901:registry/registry1" + } + }, + { + "Action": [ + "glue:GetSchemaVersion" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::Sub": "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:schema/registry1/*" + } + ] + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "SelfManagedKafkaExecutionRolePolicy" + } + ], + "Tags": [ + { + "Key": "lambda:createdBy", + "Value": "SAM" + } + ] + }, + "Type": "AWS::IAM::Role" + } + } +} diff --git a/tests/translator/output/aws-us-gov/cognito_template_with_new_properties.json b/tests/translator/output/aws-us-gov/cognito_template_with_new_properties.json new file mode 100644 index 0000000000..7869a8eda5 --- /dev/null +++ b/tests/translator/output/aws-us-gov/cognito_template_with_new_properties.json @@ -0,0 +1,15 @@ +{ + "Resources": { + "MyUserPool": { + "Properties": { + "EmailAuthenticationMessage": "Your verification code is {####}", + "EmailAuthenticationSubject": "Your verification code", + "UserPoolName": "MyUserPool", + "UserPoolTier": "PLUS", + "WebAuthnRelyingPartyID": "id", + "WebAuthnUserVerification": "required" + }, + "Type": "AWS::Cognito::UserPool" + } + } +} diff --git a/tests/translator/output/aws-us-gov/function_with_msk_with_schema_registry_config.json b/tests/translator/output/aws-us-gov/function_with_msk_with_schema_registry_config.json new file mode 100644 index 0000000000..a2f631553e --- /dev/null +++ b/tests/translator/output/aws-us-gov/function_with_msk_with_schema_registry_config.json @@ -0,0 +1,471 @@ +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Parameters": {}, + "Resources": { + "MyMskStreamProcessorWithConfluentSchemaAndBasicAuth": { + "Properties": { + "Code": { + "S3Bucket": "sam-demo-bucket", + "S3Key": "kafka.zip" + }, + "Handler": "index.handler", + "Role": { + "Fn::GetAtt": [ + "MyMskStreamProcessorWithConfluentSchemaAndBasicAuthRole", + "Arn" + ] + }, + "Runtime": "nodejs12.x", + "Tags": [ + { + "Key": "lambda:createdBy", + "Value": "SAM" + } + ] + }, + "Type": "AWS::Lambda::Function" + }, + "MyMskStreamProcessorWithConfluentSchemaAndBasicAuthMyMskEvent": { + "Properties": { + "AmazonManagedKafkaEventSourceConfig": { + "ConsumerGroupId": "consumergroup1", + "SchemaRegistryConfig": { + "AccessConfigs": [ + { + "Type": "BASIC_AUTH", + "URI": { + "Fn::Sub": "arn:${AWS::Partition}:secretsmanager:${AWS::Region}:123456789012:secret:my-path" + } + } + ], + "EventRecordFormat": "JSON", + "SchemaRegistryURI": "https://example.com/registry", + "SchemaValidationConfigs": [ + { + "Attribute": "KEY" + }, + { + "Attribute": "VALUE" + } + ] + } + }, + "EventSourceArn": { + "Fn::Sub": "arn:${AWS::Partition}:kafka:${AWS::Region}:012345678901:cluster/mycluster/6cc0432b-8618-4f44-bccc-e1fbd8fb7c4d-2" + }, + "FunctionName": { + "Ref": "MyMskStreamProcessorWithConfluentSchemaAndBasicAuth" + }, + "StartingPosition": "LATEST", + "Topics": [ + "MyDummyTestTopic" + ] + }, + "Type": "AWS::Lambda::EventSourceMapping" + }, + "MyMskStreamProcessorWithConfluentSchemaAndBasicAuthRole": { + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", + "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaMSKExecutionRole" + ], + "Policies": [ + { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "secretsmanager:GetSecretValue" + ], + "Effect": "Allow", + "Resource": { + "Fn::Sub": "arn:${AWS::Partition}:secretsmanager:${AWS::Region}:123456789012:secret:my-path" + } + } + ] + }, + "PolicyName": "MSKExecutionRolePolicy" + } + ], + "Tags": [ + { + "Key": "lambda:createdBy", + "Value": "SAM" + } + ] + }, + "Type": "AWS::IAM::Role" + }, + "MyMskStreamProcessorWithGlueSchemaAndBasicAuth": { + "Properties": { + "Code": { + "S3Bucket": "sam-demo-bucket", + "S3Key": "kafka.zip" + }, + "Handler": "index.handler", + "Role": { + "Fn::GetAtt": [ + "MyMskStreamProcessorWithGlueSchemaAndBasicAuthRole", + "Arn" + ] + }, + "Runtime": "nodejs12.x", + "Tags": [ + { + "Key": "lambda:createdBy", + "Value": "SAM" + } + ] + }, + "Type": "AWS::Lambda::Function" + }, + "MyMskStreamProcessorWithGlueSchemaAndBasicAuthMyMskEvent": { + "Properties": { + "AmazonManagedKafkaEventSourceConfig": { + "ConsumerGroupId": "consumergroup1", + "SchemaRegistryConfig": { + "AccessConfigs": [ + { + "Type": "BASIC_AUTH", + "URI": { + "Fn::Sub": "arn:${AWS::Partition}:secretsmanager:${AWS::Region}:123456789012:secret:my-path" + } + } + ], + "EventRecordFormat": "JSON", + "SchemaRegistryURI": { + "Fn::Sub": "arn:${AWS::Partition}:glue:${AWS::Region}:012345678901:registry/registry1" + }, + "SchemaValidationConfigs": [ + { + "Attribute": "KEY" + }, + { + "Attribute": "VALUE" + } + ] + } + }, + "EventSourceArn": { + "Fn::Sub": "arn:${AWS::Partition}:kafka:${AWS::Region}:012345678901:cluster/mycluster/6cc0432b-8618-4f44-bccc-e1fbd8fb7c4d-2" + }, + "FunctionName": { + "Ref": "MyMskStreamProcessorWithGlueSchemaAndBasicAuth" + }, + "StartingPosition": "LATEST", + "Topics": [ + "MyDummyTestTopic" + ] + }, + "Type": "AWS::Lambda::EventSourceMapping" + }, + "MyMskStreamProcessorWithGlueSchemaAndBasicAuthRole": { + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", + "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaMSKExecutionRole" + ], + "Policies": [ + { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "secretsmanager:GetSecretValue" + ], + "Effect": "Allow", + "Resource": { + "Fn::Sub": "arn:${AWS::Partition}:secretsmanager:${AWS::Region}:123456789012:secret:my-path" + } + }, + { + "Action": [ + "glue:GetRegistry" + ], + "Effect": "Allow", + "Resource": { + "Fn::Sub": "arn:${AWS::Partition}:glue:${AWS::Region}:012345678901:registry/registry1" + } + }, + { + "Action": [ + "glue:GetSchemaVersion" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::Sub": "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:schema/registry1/*" + } + ] + } + ] + }, + "PolicyName": "MSKExecutionRolePolicy" + } + ], + "Tags": [ + { + "Key": "lambda:createdBy", + "Value": "SAM" + } + ] + }, + "Type": "AWS::IAM::Role" + }, + "MyMskStreamProcessorWithGlueSchemaAndIamAuth": { + "Properties": { + "Code": { + "S3Bucket": "sam-demo-bucket", + "S3Key": "kafka.zip" + }, + "Handler": "index.handler", + "Role": { + "Fn::GetAtt": [ + "MyMskStreamProcessorWithGlueSchemaAndIamAuthRole", + "Arn" + ] + }, + "Runtime": "nodejs12.x", + "Tags": [ + { + "Key": "lambda:createdBy", + "Value": "SAM" + } + ] + }, + "Type": "AWS::Lambda::Function" + }, + "MyMskStreamProcessorWithGlueSchemaAndIamAuthMyMskEvent": { + "Properties": { + "AmazonManagedKafkaEventSourceConfig": { + "ConsumerGroupId": "consumergroup1", + "SchemaRegistryConfig": { + "EventRecordFormat": "JSON", + "SchemaRegistryURI": { + "Fn::Sub": "arn:${AWS::Partition}:glue:${AWS::Region}:012345678901:registry/registry1" + }, + "SchemaValidationConfigs": [ + { + "Attribute": "KEY" + } + ] + } + }, + "EventSourceArn": { + "Fn::Sub": "arn:${AWS::Partition}:kafka:${AWS::Region}:012345678901:cluster/mycluster/6cc0432b-8618-4f44-bccc-e1fbd8fb7c4d-2" + }, + "FunctionName": { + "Ref": "MyMskStreamProcessorWithGlueSchemaAndIamAuth" + }, + "StartingPosition": "LATEST", + "Topics": [ + "MyDummyTestTopic" + ] + }, + "Type": "AWS::Lambda::EventSourceMapping" + }, + "MyMskStreamProcessorWithGlueSchemaAndIamAuthRole": { + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", + "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaMSKExecutionRole" + ], + "Policies": [ + { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "glue:GetRegistry" + ], + "Effect": "Allow", + "Resource": { + "Fn::Sub": "arn:${AWS::Partition}:glue:${AWS::Region}:012345678901:registry/registry1" + } + }, + { + "Action": [ + "glue:GetSchemaVersion" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::Sub": "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:schema/registry1/*" + } + ] + } + ] + }, + "PolicyName": "MSKExecutionRolePolicy" + } + ], + "Tags": [ + { + "Key": "lambda:createdBy", + "Value": "SAM" + } + ] + }, + "Type": "AWS::IAM::Role" + }, + "MyMskStreamProcessorWithOnlySchemaRegistry": { + "Properties": { + "Code": { + "S3Bucket": "sam-demo-bucket", + "S3Key": "kafka.zip" + }, + "Handler": "index.handler", + "Role": { + "Fn::GetAtt": [ + "MyMskStreamProcessorWithOnlySchemaRegistryRole", + "Arn" + ] + }, + "Runtime": "nodejs12.x", + "Tags": [ + { + "Key": "lambda:createdBy", + "Value": "SAM" + } + ] + }, + "Type": "AWS::Lambda::Function" + }, + "MyMskStreamProcessorWithOnlySchemaRegistryMyMskEvent": { + "Properties": { + "AmazonManagedKafkaEventSourceConfig": { + "SchemaRegistryConfig": { + "EventRecordFormat": "JSON", + "SchemaRegistryURI": { + "Fn::Sub": "arn:${AWS::Partition}:glue:${AWS::Region}:012345678901:registry/registry1" + }, + "SchemaValidationConfigs": [ + { + "Attribute": "KEY" + } + ] + } + }, + "EventSourceArn": { + "Fn::Sub": "arn:${AWS::Partition}:kafka:${AWS::Region}:012345678901:cluster/mycluster/6cc0432b-8618-4f44-bccc-e1fbd8fb7c4d-2" + }, + "FunctionName": { + "Ref": "MyMskStreamProcessorWithOnlySchemaRegistry" + }, + "StartingPosition": "LATEST", + "Topics": [ + "MyDummyTestTopic" + ] + }, + "Type": "AWS::Lambda::EventSourceMapping" + }, + "MyMskStreamProcessorWithOnlySchemaRegistryRole": { + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", + "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaMSKExecutionRole" + ], + "Policies": [ + { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "glue:GetRegistry" + ], + "Effect": "Allow", + "Resource": { + "Fn::Sub": "arn:${AWS::Partition}:glue:${AWS::Region}:012345678901:registry/registry1" + } + }, + { + "Action": [ + "glue:GetSchemaVersion" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::Sub": "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:schema/registry1/*" + } + ] + } + ] + }, + "PolicyName": "MSKExecutionRolePolicy" + } + ], + "Tags": [ + { + "Key": "lambda:createdBy", + "Value": "SAM" + } + ] + }, + "Type": "AWS::IAM::Role" + } + } +} diff --git a/tests/translator/output/aws-us-gov/function_with_self_managed_kafka_and_schema_registry.json b/tests/translator/output/aws-us-gov/function_with_self_managed_kafka_and_schema_registry.json new file mode 100644 index 0000000000..3d0fa8cffa --- /dev/null +++ b/tests/translator/output/aws-us-gov/function_with_self_managed_kafka_and_schema_registry.json @@ -0,0 +1,618 @@ +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Parameters": {}, + "Resources": { + "MyKafkaStreamProcessorWithConfluentSchemaAndBasicAuth": { + "Properties": { + "Code": { + "S3Bucket": "sam-demo-bucket", + "S3Key": "kafka.zip" + }, + "Handler": "index.handler", + "Role": { + "Fn::GetAtt": [ + "MyKafkaStreamProcessorWithConfluentSchemaAndBasicAuthRole", + "Arn" + ] + }, + "Runtime": "nodejs12.x", + "Tags": [ + { + "Key": "lambda:createdBy", + "Value": "SAM" + } + ] + }, + "Type": "AWS::Lambda::Function" + }, + "MyKafkaStreamProcessorWithConfluentSchemaAndBasicAuthMyKafkaCluster": { + "Properties": { + "FunctionName": { + "Ref": "MyKafkaStreamProcessorWithConfluentSchemaAndBasicAuth" + }, + "SelfManagedEventSource": { + "Endpoints": { + "KafkaBootstrapServers": [ + "abc.xyz.com:9092", + "123.45.67.89:9096" + ] + } + }, + "SelfManagedKafkaEventSourceConfig": { + "ConsumerGroupId": "consumergroup1", + "SchemaRegistryConfig": { + "AccessConfigs": [ + { + "Type": "BASIC_AUTH", + "URI": { + "Fn::Sub": "arn:${AWS::Partition}:secretsmanager:${AWS::Region}:123456789012:secret:my-path" + } + } + ], + "EventRecordFormat": "JSON", + "SchemaRegistryURI": "https://example.com/registry", + "SchemaValidationConfigs": [ + { + "Attribute": "KEY" + }, + { + "Attribute": "VALUE" + } + ] + } + }, + "SourceAccessConfigurations": [ + { + "Type": "SASL_SCRAM_512_AUTH", + "URI": "arn:aws:secretsmanager:us-west-2:123456789012:secret:my-path/my-secret-name-1a2b3c" + }, + { + "Type": "VPC_SUBNET", + "URI": "subnet:subnet-12345" + }, + { + "Type": "VPC_SECURITY_GROUP", + "URI": "security_group:sg-67890" + } + ], + "StartingPosition": "LATEST", + "Topics": [ + "MyDummyTestTopic" + ] + }, + "Type": "AWS::Lambda::EventSourceMapping" + }, + "MyKafkaStreamProcessorWithConfluentSchemaAndBasicAuthRole": { + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ], + "Policies": [ + { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "secretsmanager:GetSecretValue" + ], + "Effect": "Allow", + "Resource": "arn:aws:secretsmanager:us-west-2:123456789012:secret:my-path/my-secret-name-1a2b3c" + }, + { + "Action": [ + "ec2:CreateNetworkInterface", + "ec2:DescribeNetworkInterfaces", + "ec2:DeleteNetworkInterface", + "ec2:DescribeVpcs", + "ec2:DescribeSubnets", + "ec2:DescribeSecurityGroups" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "secretsmanager:GetSecretValue" + ], + "Effect": "Allow", + "Resource": { + "Fn::Sub": "arn:${AWS::Partition}:secretsmanager:${AWS::Region}:123456789012:secret:my-path" + } + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "SelfManagedKafkaExecutionRolePolicy" + } + ], + "Tags": [ + { + "Key": "lambda:createdBy", + "Value": "SAM" + } + ] + }, + "Type": "AWS::IAM::Role" + }, + "MyKafkaStreamProcessorWithGlueSchemaAndBasicAuth": { + "Properties": { + "Code": { + "S3Bucket": "sam-demo-bucket", + "S3Key": "kafka.zip" + }, + "Handler": "index.kafka_handler", + "Role": { + "Fn::GetAtt": [ + "MyKafkaStreamProcessorWithGlueSchemaAndBasicAuthRole", + "Arn" + ] + }, + "Runtime": "python3.9", + "Tags": [ + { + "Key": "lambda:createdBy", + "Value": "SAM" + } + ] + }, + "Type": "AWS::Lambda::Function" + }, + "MyKafkaStreamProcessorWithGlueSchemaAndBasicAuthMyKafkaCluster": { + "Properties": { + "FunctionName": { + "Ref": "MyKafkaStreamProcessorWithGlueSchemaAndBasicAuth" + }, + "SelfManagedEventSource": { + "Endpoints": { + "KafkaBootstrapServers": [ + "abc.xyz.com:9092", + "123.45.67.89:9096" + ] + } + }, + "SelfManagedKafkaEventSourceConfig": { + "ConsumerGroupId": "consumergroup1", + "SchemaRegistryConfig": { + "AccessConfigs": [ + { + "Type": "BASIC_AUTH", + "URI": { + "Fn::Sub": "arn:${AWS::Partition}:secretsmanager:${AWS::Region}:123456789012:secret:my-path" + } + } + ], + "EventRecordFormat": "JSON", + "SchemaRegistryURI": { + "Fn::Sub": "arn:${AWS::Partition}:glue:${AWS::Region}:012345678901:registry/registry1" + }, + "SchemaValidationConfigs": [ + { + "Attribute": "KEY" + } + ] + } + }, + "SourceAccessConfigurations": [ + { + "Type": "SASL_SCRAM_512_AUTH", + "URI": "arn:aws:secretsmanager:us-west-2:123456789012:secret:my-path/my-secret-name-1a2b3c" + }, + { + "Type": "VPC_SUBNET", + "URI": "subnet:subnet-12345" + }, + { + "Type": "VPC_SECURITY_GROUP", + "URI": "security_group:sg-67890" + } + ], + "Topics": [ + "Topic1" + ] + }, + "Type": "AWS::Lambda::EventSourceMapping" + }, + "MyKafkaStreamProcessorWithGlueSchemaAndBasicAuthRole": { + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ], + "Policies": [ + { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "secretsmanager:GetSecretValue" + ], + "Effect": "Allow", + "Resource": "arn:aws:secretsmanager:us-west-2:123456789012:secret:my-path/my-secret-name-1a2b3c" + }, + { + "Action": [ + "ec2:CreateNetworkInterface", + "ec2:DescribeNetworkInterfaces", + "ec2:DeleteNetworkInterface", + "ec2:DescribeVpcs", + "ec2:DescribeSubnets", + "ec2:DescribeSecurityGroups" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "secretsmanager:GetSecretValue" + ], + "Effect": "Allow", + "Resource": { + "Fn::Sub": "arn:${AWS::Partition}:secretsmanager:${AWS::Region}:123456789012:secret:my-path" + } + }, + { + "Action": [ + "glue:GetRegistry" + ], + "Effect": "Allow", + "Resource": { + "Fn::Sub": "arn:${AWS::Partition}:glue:${AWS::Region}:012345678901:registry/registry1" + } + }, + { + "Action": [ + "glue:GetSchemaVersion" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::Sub": "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:schema/registry1/*" + } + ] + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "SelfManagedKafkaExecutionRolePolicy" + } + ], + "Tags": [ + { + "Key": "lambda:createdBy", + "Value": "SAM" + } + ] + }, + "Type": "AWS::IAM::Role" + }, + "MyKafkaStreamProcessorWithGlueSchemaAndIamAuth": { + "Properties": { + "Code": { + "S3Bucket": "sam-demo-bucket", + "S3Key": "kafka.zip" + }, + "Handler": "index.kafka_handler", + "Role": { + "Fn::GetAtt": [ + "MyKafkaStreamProcessorWithGlueSchemaAndIamAuthRole", + "Arn" + ] + }, + "Runtime": "python3.9", + "Tags": [ + { + "Key": "lambda:createdBy", + "Value": "SAM" + } + ] + }, + "Type": "AWS::Lambda::Function" + }, + "MyKafkaStreamProcessorWithGlueSchemaAndIamAuthMyKafkaCluster": { + "Properties": { + "FunctionName": { + "Ref": "MyKafkaStreamProcessorWithGlueSchemaAndIamAuth" + }, + "SelfManagedEventSource": { + "Endpoints": { + "KafkaBootstrapServers": [ + "abc.xyz.com:9092", + "123.45.67.89:9096" + ] + } + }, + "SelfManagedKafkaEventSourceConfig": { + "ConsumerGroupId": "consumergroup1", + "SchemaRegistryConfig": { + "EventRecordFormat": "JSON", + "SchemaRegistryURI": { + "Fn::Sub": "arn:${AWS::Partition}:glue:${AWS::Region}:012345678901:registry/registry1" + }, + "SchemaValidationConfigs": [ + { + "Attribute": "KEY" + } + ] + } + }, + "SourceAccessConfigurations": [ + { + "Type": "SASL_SCRAM_512_AUTH", + "URI": "arn:aws:secretsmanager:us-west-2:123456789012:secret:my-path/my-secret-name-1a2b3c" + }, + { + "Type": "VPC_SUBNET", + "URI": "subnet:subnet-12345" + }, + { + "Type": "VPC_SECURITY_GROUP", + "URI": "security_group:sg-67890" + } + ], + "Topics": [ + "Topic1" + ] + }, + "Type": "AWS::Lambda::EventSourceMapping" + }, + "MyKafkaStreamProcessorWithGlueSchemaAndIamAuthRole": { + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ], + "Policies": [ + { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "secretsmanager:GetSecretValue" + ], + "Effect": "Allow", + "Resource": "arn:aws:secretsmanager:us-west-2:123456789012:secret:my-path/my-secret-name-1a2b3c" + }, + { + "Action": [ + "ec2:CreateNetworkInterface", + "ec2:DescribeNetworkInterfaces", + "ec2:DeleteNetworkInterface", + "ec2:DescribeVpcs", + "ec2:DescribeSubnets", + "ec2:DescribeSecurityGroups" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "glue:GetRegistry" + ], + "Effect": "Allow", + "Resource": { + "Fn::Sub": "arn:${AWS::Partition}:glue:${AWS::Region}:012345678901:registry/registry1" + } + }, + { + "Action": [ + "glue:GetSchemaVersion" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::Sub": "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:schema/registry1/*" + } + ] + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "SelfManagedKafkaExecutionRolePolicy" + } + ], + "Tags": [ + { + "Key": "lambda:createdBy", + "Value": "SAM" + } + ] + }, + "Type": "AWS::IAM::Role" + }, + "MyMskStreamProcessorWithOnlySchemaRegistry": { + "Properties": { + "Code": { + "S3Bucket": "sam-demo-bucket", + "S3Key": "kafka.zip" + }, + "Handler": "index.handler", + "Role": { + "Fn::GetAtt": [ + "MyMskStreamProcessorWithOnlySchemaRegistryRole", + "Arn" + ] + }, + "Runtime": "nodejs12.x", + "Tags": [ + { + "Key": "lambda:createdBy", + "Value": "SAM" + } + ] + }, + "Type": "AWS::Lambda::Function" + }, + "MyMskStreamProcessorWithOnlySchemaRegistryMyKafkaCluster": { + "Properties": { + "FunctionName": { + "Ref": "MyMskStreamProcessorWithOnlySchemaRegistry" + }, + "SelfManagedEventSource": { + "Endpoints": { + "KafkaBootstrapServers": [ + "abc.xyz.com:9092", + "123.45.67.89:9096" + ] + } + }, + "SelfManagedKafkaEventSourceConfig": { + "SchemaRegistryConfig": { + "EventRecordFormat": "JSON", + "SchemaRegistryURI": { + "Fn::Sub": "arn:${AWS::Partition}:glue:${AWS::Region}:012345678901:registry/registry1" + }, + "SchemaValidationConfigs": [ + { + "Attribute": "KEY" + } + ] + } + }, + "SourceAccessConfigurations": [ + { + "Type": "SASL_SCRAM_512_AUTH", + "URI": "arn:aws:secretsmanager:us-west-2:123456789012:secret:my-path/my-secret-name-1a2b3c" + }, + { + "Type": "VPC_SUBNET", + "URI": "subnet:subnet-12345" + }, + { + "Type": "VPC_SECURITY_GROUP", + "URI": "security_group:sg-67890" + } + ], + "StartingPosition": "LATEST", + "Topics": [ + "MyDummyTestTopic" + ] + }, + "Type": "AWS::Lambda::EventSourceMapping" + }, + "MyMskStreamProcessorWithOnlySchemaRegistryRole": { + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ], + "Policies": [ + { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "secretsmanager:GetSecretValue" + ], + "Effect": "Allow", + "Resource": "arn:aws:secretsmanager:us-west-2:123456789012:secret:my-path/my-secret-name-1a2b3c" + }, + { + "Action": [ + "ec2:CreateNetworkInterface", + "ec2:DescribeNetworkInterfaces", + "ec2:DeleteNetworkInterface", + "ec2:DescribeVpcs", + "ec2:DescribeSubnets", + "ec2:DescribeSecurityGroups" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "glue:GetRegistry" + ], + "Effect": "Allow", + "Resource": { + "Fn::Sub": "arn:${AWS::Partition}:glue:${AWS::Region}:012345678901:registry/registry1" + } + }, + { + "Action": [ + "glue:GetSchemaVersion" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::Sub": "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:schema/registry1/*" + } + ] + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "SelfManagedKafkaExecutionRolePolicy" + } + ], + "Tags": [ + { + "Key": "lambda:createdBy", + "Value": "SAM" + } + ] + }, + "Type": "AWS::IAM::Role" + } + } +} diff --git a/tests/translator/output/cognito_template_with_new_properties.json b/tests/translator/output/cognito_template_with_new_properties.json new file mode 100644 index 0000000000..7869a8eda5 --- /dev/null +++ b/tests/translator/output/cognito_template_with_new_properties.json @@ -0,0 +1,15 @@ +{ + "Resources": { + "MyUserPool": { + "Properties": { + "EmailAuthenticationMessage": "Your verification code is {####}", + "EmailAuthenticationSubject": "Your verification code", + "UserPoolName": "MyUserPool", + "UserPoolTier": "PLUS", + "WebAuthnRelyingPartyID": "id", + "WebAuthnUserVerification": "required" + }, + "Type": "AWS::Cognito::UserPool" + } + } +} diff --git a/tests/translator/output/error_invalid_schema_registry_config_for_kafka.json b/tests/translator/output/error_invalid_schema_registry_config_for_kafka.json new file mode 100644 index 0000000000..da02e0f6a6 --- /dev/null +++ b/tests/translator/output/error_invalid_schema_registry_config_for_kafka.json @@ -0,0 +1,25 @@ +{ + "_autoGeneratedBreakdownErrorMessage": [ + "Invalid Serverless Application Specification document. ", + "Number of errors found: 3. ", + "Resource with id [MSKFunctionWithoutEventRecordFormat] is invalid. ", + "Event with id [MyKafkaCluster] is invalid. ", + "Missing required field EventRecordFormat in SchemaRegistryConfig Resource with id [MSKFunctionWithoutSchemaRegistryURI] is invalid. ", + "Event with id [MyKafkaCluster] is invalid. ", + "Missing required field SchemaRegistryURI in SchemaRegistryConfig Resource with id [MSKFunctionWithoutSchemaValidationConfigs] is invalid. ", + "Event with id [MyKafkaCluster] is invalid. ", + "Missing required field SchemaValidationConfigs in SchemaRegistryConfig" + ], + "errorMessage": "Invalid Serverless Application Specification document. Number of errors found: 3. Resource with id [MSKFunctionWithoutEventRecordFormat] is invalid. Event with id [MyKafkaCluster] is invalid. Missing required field EventRecordFormat in SchemaRegistryConfig Resource with id [MSKFunctionWithoutSchemaRegistryURI] is invalid. Event with id [MyKafkaCluster] is invalid. Missing required field SchemaRegistryURI in SchemaRegistryConfig Resource with id [MSKFunctionWithoutSchemaValidationConfigs] is invalid. Event with id [MyKafkaCluster] is invalid. Missing required field SchemaValidationConfigs in SchemaRegistryConfig", + "errors": [ + { + "errorMessage": "Resource with id [MSKFunctionWithoutEventRecordFormat] is invalid. Event with id [MyKafkaCluster] is invalid. Missing required field EventRecordFormat in SchemaRegistryConfig" + }, + { + "errorMessage": "Resource with id [MSKFunctionWithoutSchemaRegistryURI] is invalid. Event with id [MyKafkaCluster] is invalid. Missing required field SchemaRegistryURI in SchemaRegistryConfig" + }, + { + "errorMessage": "Resource with id [MSKFunctionWithoutSchemaValidationConfigs] is invalid. Event with id [MyKafkaCluster] is invalid. Missing required field SchemaValidationConfigs in SchemaRegistryConfig" + } + ] +} diff --git a/tests/translator/output/error_invalid_schema_registry_config_for_self_managed_kafka.json b/tests/translator/output/error_invalid_schema_registry_config_for_self_managed_kafka.json new file mode 100644 index 0000000000..8e46c0bd30 --- /dev/null +++ b/tests/translator/output/error_invalid_schema_registry_config_for_self_managed_kafka.json @@ -0,0 +1,25 @@ +{ + "_autoGeneratedBreakdownErrorMessage": [ + "Invalid Serverless Application Specification document. ", + "Number of errors found: 3. ", + "Resource with id [KafkaFunctionWithoutEventRecordFormat] is invalid. ", + "Event with id [MyKafkaCluster] is invalid. ", + "Missing required field EventRecordFormat in SchemaRegistryConfig Resource with id [KafkaFunctionWithoutSchemaRegistryURI] is invalid. ", + "Event with id [MyKafkaCluster] is invalid. ", + "Missing required field SchemaRegistryURI in SchemaRegistryConfig Resource with id [KafkaFunctionWithoutSchemaValidationConfigs] is invalid. ", + "Event with id [MyKafkaCluster] is invalid. ", + "Missing required field SchemaValidationConfigs in SchemaRegistryConfig" + ], + "errorMessage": "Invalid Serverless Application Specification document. Number of errors found: 3. Resource with id [KafkaFunctionWithoutEventRecordFormat] is invalid. Event with id [MyKafkaCluster] is invalid. Missing required field EventRecordFormat in SchemaRegistryConfig Resource with id [KafkaFunctionWithoutSchemaRegistryURI] is invalid. Event with id [MyKafkaCluster] is invalid. Missing required field SchemaRegistryURI in SchemaRegistryConfig Resource with id [KafkaFunctionWithoutSchemaValidationConfigs] is invalid. Event with id [MyKafkaCluster] is invalid. Missing required field SchemaValidationConfigs in SchemaRegistryConfig", + "errors": [ + { + "errorMessage": "Resource with id [KafkaFunctionWithoutEventRecordFormat] is invalid. Event with id [MyKafkaCluster] is invalid. Missing required field EventRecordFormat in SchemaRegistryConfig" + }, + { + "errorMessage": "Resource with id [KafkaFunctionWithoutSchemaRegistryURI] is invalid. Event with id [MyKafkaCluster] is invalid. Missing required field SchemaRegistryURI in SchemaRegistryConfig" + }, + { + "errorMessage": "Resource with id [KafkaFunctionWithoutSchemaValidationConfigs] is invalid. Event with id [MyKafkaCluster] is invalid. Missing required field SchemaValidationConfigs in SchemaRegistryConfig" + } + ] +} diff --git a/tests/translator/output/function_with_msk_with_schema_registry_config.json b/tests/translator/output/function_with_msk_with_schema_registry_config.json new file mode 100644 index 0000000000..d3759b50d2 --- /dev/null +++ b/tests/translator/output/function_with_msk_with_schema_registry_config.json @@ -0,0 +1,471 @@ +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Parameters": {}, + "Resources": { + "MyMskStreamProcessorWithConfluentSchemaAndBasicAuth": { + "Properties": { + "Code": { + "S3Bucket": "sam-demo-bucket", + "S3Key": "kafka.zip" + }, + "Handler": "index.handler", + "Role": { + "Fn::GetAtt": [ + "MyMskStreamProcessorWithConfluentSchemaAndBasicAuthRole", + "Arn" + ] + }, + "Runtime": "nodejs12.x", + "Tags": [ + { + "Key": "lambda:createdBy", + "Value": "SAM" + } + ] + }, + "Type": "AWS::Lambda::Function" + }, + "MyMskStreamProcessorWithConfluentSchemaAndBasicAuthMyMskEvent": { + "Properties": { + "AmazonManagedKafkaEventSourceConfig": { + "ConsumerGroupId": "consumergroup1", + "SchemaRegistryConfig": { + "AccessConfigs": [ + { + "Type": "BASIC_AUTH", + "URI": { + "Fn::Sub": "arn:${AWS::Partition}:secretsmanager:${AWS::Region}:123456789012:secret:my-path" + } + } + ], + "EventRecordFormat": "JSON", + "SchemaRegistryURI": "https://example.com/registry", + "SchemaValidationConfigs": [ + { + "Attribute": "KEY" + }, + { + "Attribute": "VALUE" + } + ] + } + }, + "EventSourceArn": { + "Fn::Sub": "arn:${AWS::Partition}:kafka:${AWS::Region}:012345678901:cluster/mycluster/6cc0432b-8618-4f44-bccc-e1fbd8fb7c4d-2" + }, + "FunctionName": { + "Ref": "MyMskStreamProcessorWithConfluentSchemaAndBasicAuth" + }, + "StartingPosition": "LATEST", + "Topics": [ + "MyDummyTestTopic" + ] + }, + "Type": "AWS::Lambda::EventSourceMapping" + }, + "MyMskStreamProcessorWithConfluentSchemaAndBasicAuthRole": { + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", + "arn:aws:iam::aws:policy/service-role/AWSLambdaMSKExecutionRole" + ], + "Policies": [ + { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "secretsmanager:GetSecretValue" + ], + "Effect": "Allow", + "Resource": { + "Fn::Sub": "arn:${AWS::Partition}:secretsmanager:${AWS::Region}:123456789012:secret:my-path" + } + } + ] + }, + "PolicyName": "MSKExecutionRolePolicy" + } + ], + "Tags": [ + { + "Key": "lambda:createdBy", + "Value": "SAM" + } + ] + }, + "Type": "AWS::IAM::Role" + }, + "MyMskStreamProcessorWithGlueSchemaAndBasicAuth": { + "Properties": { + "Code": { + "S3Bucket": "sam-demo-bucket", + "S3Key": "kafka.zip" + }, + "Handler": "index.handler", + "Role": { + "Fn::GetAtt": [ + "MyMskStreamProcessorWithGlueSchemaAndBasicAuthRole", + "Arn" + ] + }, + "Runtime": "nodejs12.x", + "Tags": [ + { + "Key": "lambda:createdBy", + "Value": "SAM" + } + ] + }, + "Type": "AWS::Lambda::Function" + }, + "MyMskStreamProcessorWithGlueSchemaAndBasicAuthMyMskEvent": { + "Properties": { + "AmazonManagedKafkaEventSourceConfig": { + "ConsumerGroupId": "consumergroup1", + "SchemaRegistryConfig": { + "AccessConfigs": [ + { + "Type": "BASIC_AUTH", + "URI": { + "Fn::Sub": "arn:${AWS::Partition}:secretsmanager:${AWS::Region}:123456789012:secret:my-path" + } + } + ], + "EventRecordFormat": "JSON", + "SchemaRegistryURI": { + "Fn::Sub": "arn:${AWS::Partition}:glue:${AWS::Region}:012345678901:registry/registry1" + }, + "SchemaValidationConfigs": [ + { + "Attribute": "KEY" + }, + { + "Attribute": "VALUE" + } + ] + } + }, + "EventSourceArn": { + "Fn::Sub": "arn:${AWS::Partition}:kafka:${AWS::Region}:012345678901:cluster/mycluster/6cc0432b-8618-4f44-bccc-e1fbd8fb7c4d-2" + }, + "FunctionName": { + "Ref": "MyMskStreamProcessorWithGlueSchemaAndBasicAuth" + }, + "StartingPosition": "LATEST", + "Topics": [ + "MyDummyTestTopic" + ] + }, + "Type": "AWS::Lambda::EventSourceMapping" + }, + "MyMskStreamProcessorWithGlueSchemaAndBasicAuthRole": { + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", + "arn:aws:iam::aws:policy/service-role/AWSLambdaMSKExecutionRole" + ], + "Policies": [ + { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "secretsmanager:GetSecretValue" + ], + "Effect": "Allow", + "Resource": { + "Fn::Sub": "arn:${AWS::Partition}:secretsmanager:${AWS::Region}:123456789012:secret:my-path" + } + }, + { + "Action": [ + "glue:GetRegistry" + ], + "Effect": "Allow", + "Resource": { + "Fn::Sub": "arn:${AWS::Partition}:glue:${AWS::Region}:012345678901:registry/registry1" + } + }, + { + "Action": [ + "glue:GetSchemaVersion" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::Sub": "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:schema/registry1/*" + } + ] + } + ] + }, + "PolicyName": "MSKExecutionRolePolicy" + } + ], + "Tags": [ + { + "Key": "lambda:createdBy", + "Value": "SAM" + } + ] + }, + "Type": "AWS::IAM::Role" + }, + "MyMskStreamProcessorWithGlueSchemaAndIamAuth": { + "Properties": { + "Code": { + "S3Bucket": "sam-demo-bucket", + "S3Key": "kafka.zip" + }, + "Handler": "index.handler", + "Role": { + "Fn::GetAtt": [ + "MyMskStreamProcessorWithGlueSchemaAndIamAuthRole", + "Arn" + ] + }, + "Runtime": "nodejs12.x", + "Tags": [ + { + "Key": "lambda:createdBy", + "Value": "SAM" + } + ] + }, + "Type": "AWS::Lambda::Function" + }, + "MyMskStreamProcessorWithGlueSchemaAndIamAuthMyMskEvent": { + "Properties": { + "AmazonManagedKafkaEventSourceConfig": { + "ConsumerGroupId": "consumergroup1", + "SchemaRegistryConfig": { + "EventRecordFormat": "JSON", + "SchemaRegistryURI": { + "Fn::Sub": "arn:${AWS::Partition}:glue:${AWS::Region}:012345678901:registry/registry1" + }, + "SchemaValidationConfigs": [ + { + "Attribute": "KEY" + } + ] + } + }, + "EventSourceArn": { + "Fn::Sub": "arn:${AWS::Partition}:kafka:${AWS::Region}:012345678901:cluster/mycluster/6cc0432b-8618-4f44-bccc-e1fbd8fb7c4d-2" + }, + "FunctionName": { + "Ref": "MyMskStreamProcessorWithGlueSchemaAndIamAuth" + }, + "StartingPosition": "LATEST", + "Topics": [ + "MyDummyTestTopic" + ] + }, + "Type": "AWS::Lambda::EventSourceMapping" + }, + "MyMskStreamProcessorWithGlueSchemaAndIamAuthRole": { + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", + "arn:aws:iam::aws:policy/service-role/AWSLambdaMSKExecutionRole" + ], + "Policies": [ + { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "glue:GetRegistry" + ], + "Effect": "Allow", + "Resource": { + "Fn::Sub": "arn:${AWS::Partition}:glue:${AWS::Region}:012345678901:registry/registry1" + } + }, + { + "Action": [ + "glue:GetSchemaVersion" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::Sub": "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:schema/registry1/*" + } + ] + } + ] + }, + "PolicyName": "MSKExecutionRolePolicy" + } + ], + "Tags": [ + { + "Key": "lambda:createdBy", + "Value": "SAM" + } + ] + }, + "Type": "AWS::IAM::Role" + }, + "MyMskStreamProcessorWithOnlySchemaRegistry": { + "Properties": { + "Code": { + "S3Bucket": "sam-demo-bucket", + "S3Key": "kafka.zip" + }, + "Handler": "index.handler", + "Role": { + "Fn::GetAtt": [ + "MyMskStreamProcessorWithOnlySchemaRegistryRole", + "Arn" + ] + }, + "Runtime": "nodejs12.x", + "Tags": [ + { + "Key": "lambda:createdBy", + "Value": "SAM" + } + ] + }, + "Type": "AWS::Lambda::Function" + }, + "MyMskStreamProcessorWithOnlySchemaRegistryMyMskEvent": { + "Properties": { + "AmazonManagedKafkaEventSourceConfig": { + "SchemaRegistryConfig": { + "EventRecordFormat": "JSON", + "SchemaRegistryURI": { + "Fn::Sub": "arn:${AWS::Partition}:glue:${AWS::Region}:012345678901:registry/registry1" + }, + "SchemaValidationConfigs": [ + { + "Attribute": "KEY" + } + ] + } + }, + "EventSourceArn": { + "Fn::Sub": "arn:${AWS::Partition}:kafka:${AWS::Region}:012345678901:cluster/mycluster/6cc0432b-8618-4f44-bccc-e1fbd8fb7c4d-2" + }, + "FunctionName": { + "Ref": "MyMskStreamProcessorWithOnlySchemaRegistry" + }, + "StartingPosition": "LATEST", + "Topics": [ + "MyDummyTestTopic" + ] + }, + "Type": "AWS::Lambda::EventSourceMapping" + }, + "MyMskStreamProcessorWithOnlySchemaRegistryRole": { + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", + "arn:aws:iam::aws:policy/service-role/AWSLambdaMSKExecutionRole" + ], + "Policies": [ + { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "glue:GetRegistry" + ], + "Effect": "Allow", + "Resource": { + "Fn::Sub": "arn:${AWS::Partition}:glue:${AWS::Region}:012345678901:registry/registry1" + } + }, + { + "Action": [ + "glue:GetSchemaVersion" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::Sub": "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:schema/registry1/*" + } + ] + } + ] + }, + "PolicyName": "MSKExecutionRolePolicy" + } + ], + "Tags": [ + { + "Key": "lambda:createdBy", + "Value": "SAM" + } + ] + }, + "Type": "AWS::IAM::Role" + } + } +} diff --git a/tests/translator/output/function_with_self_managed_kafka_and_schema_registry.json b/tests/translator/output/function_with_self_managed_kafka_and_schema_registry.json new file mode 100644 index 0000000000..0563f1b507 --- /dev/null +++ b/tests/translator/output/function_with_self_managed_kafka_and_schema_registry.json @@ -0,0 +1,618 @@ +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Parameters": {}, + "Resources": { + "MyKafkaStreamProcessorWithConfluentSchemaAndBasicAuth": { + "Properties": { + "Code": { + "S3Bucket": "sam-demo-bucket", + "S3Key": "kafka.zip" + }, + "Handler": "index.handler", + "Role": { + "Fn::GetAtt": [ + "MyKafkaStreamProcessorWithConfluentSchemaAndBasicAuthRole", + "Arn" + ] + }, + "Runtime": "nodejs12.x", + "Tags": [ + { + "Key": "lambda:createdBy", + "Value": "SAM" + } + ] + }, + "Type": "AWS::Lambda::Function" + }, + "MyKafkaStreamProcessorWithConfluentSchemaAndBasicAuthMyKafkaCluster": { + "Properties": { + "FunctionName": { + "Ref": "MyKafkaStreamProcessorWithConfluentSchemaAndBasicAuth" + }, + "SelfManagedEventSource": { + "Endpoints": { + "KafkaBootstrapServers": [ + "abc.xyz.com:9092", + "123.45.67.89:9096" + ] + } + }, + "SelfManagedKafkaEventSourceConfig": { + "ConsumerGroupId": "consumergroup1", + "SchemaRegistryConfig": { + "AccessConfigs": [ + { + "Type": "BASIC_AUTH", + "URI": { + "Fn::Sub": "arn:${AWS::Partition}:secretsmanager:${AWS::Region}:123456789012:secret:my-path" + } + } + ], + "EventRecordFormat": "JSON", + "SchemaRegistryURI": "https://example.com/registry", + "SchemaValidationConfigs": [ + { + "Attribute": "KEY" + }, + { + "Attribute": "VALUE" + } + ] + } + }, + "SourceAccessConfigurations": [ + { + "Type": "SASL_SCRAM_512_AUTH", + "URI": "arn:aws:secretsmanager:us-west-2:123456789012:secret:my-path/my-secret-name-1a2b3c" + }, + { + "Type": "VPC_SUBNET", + "URI": "subnet:subnet-12345" + }, + { + "Type": "VPC_SECURITY_GROUP", + "URI": "security_group:sg-67890" + } + ], + "StartingPosition": "LATEST", + "Topics": [ + "MyDummyTestTopic" + ] + }, + "Type": "AWS::Lambda::EventSourceMapping" + }, + "MyKafkaStreamProcessorWithConfluentSchemaAndBasicAuthRole": { + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ], + "Policies": [ + { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "secretsmanager:GetSecretValue" + ], + "Effect": "Allow", + "Resource": "arn:aws:secretsmanager:us-west-2:123456789012:secret:my-path/my-secret-name-1a2b3c" + }, + { + "Action": [ + "ec2:CreateNetworkInterface", + "ec2:DescribeNetworkInterfaces", + "ec2:DeleteNetworkInterface", + "ec2:DescribeVpcs", + "ec2:DescribeSubnets", + "ec2:DescribeSecurityGroups" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "secretsmanager:GetSecretValue" + ], + "Effect": "Allow", + "Resource": { + "Fn::Sub": "arn:${AWS::Partition}:secretsmanager:${AWS::Region}:123456789012:secret:my-path" + } + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "SelfManagedKafkaExecutionRolePolicy" + } + ], + "Tags": [ + { + "Key": "lambda:createdBy", + "Value": "SAM" + } + ] + }, + "Type": "AWS::IAM::Role" + }, + "MyKafkaStreamProcessorWithGlueSchemaAndBasicAuth": { + "Properties": { + "Code": { + "S3Bucket": "sam-demo-bucket", + "S3Key": "kafka.zip" + }, + "Handler": "index.kafka_handler", + "Role": { + "Fn::GetAtt": [ + "MyKafkaStreamProcessorWithGlueSchemaAndBasicAuthRole", + "Arn" + ] + }, + "Runtime": "python3.9", + "Tags": [ + { + "Key": "lambda:createdBy", + "Value": "SAM" + } + ] + }, + "Type": "AWS::Lambda::Function" + }, + "MyKafkaStreamProcessorWithGlueSchemaAndBasicAuthMyKafkaCluster": { + "Properties": { + "FunctionName": { + "Ref": "MyKafkaStreamProcessorWithGlueSchemaAndBasicAuth" + }, + "SelfManagedEventSource": { + "Endpoints": { + "KafkaBootstrapServers": [ + "abc.xyz.com:9092", + "123.45.67.89:9096" + ] + } + }, + "SelfManagedKafkaEventSourceConfig": { + "ConsumerGroupId": "consumergroup1", + "SchemaRegistryConfig": { + "AccessConfigs": [ + { + "Type": "BASIC_AUTH", + "URI": { + "Fn::Sub": "arn:${AWS::Partition}:secretsmanager:${AWS::Region}:123456789012:secret:my-path" + } + } + ], + "EventRecordFormat": "JSON", + "SchemaRegistryURI": { + "Fn::Sub": "arn:${AWS::Partition}:glue:${AWS::Region}:012345678901:registry/registry1" + }, + "SchemaValidationConfigs": [ + { + "Attribute": "KEY" + } + ] + } + }, + "SourceAccessConfigurations": [ + { + "Type": "SASL_SCRAM_512_AUTH", + "URI": "arn:aws:secretsmanager:us-west-2:123456789012:secret:my-path/my-secret-name-1a2b3c" + }, + { + "Type": "VPC_SUBNET", + "URI": "subnet:subnet-12345" + }, + { + "Type": "VPC_SECURITY_GROUP", + "URI": "security_group:sg-67890" + } + ], + "Topics": [ + "Topic1" + ] + }, + "Type": "AWS::Lambda::EventSourceMapping" + }, + "MyKafkaStreamProcessorWithGlueSchemaAndBasicAuthRole": { + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ], + "Policies": [ + { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "secretsmanager:GetSecretValue" + ], + "Effect": "Allow", + "Resource": "arn:aws:secretsmanager:us-west-2:123456789012:secret:my-path/my-secret-name-1a2b3c" + }, + { + "Action": [ + "ec2:CreateNetworkInterface", + "ec2:DescribeNetworkInterfaces", + "ec2:DeleteNetworkInterface", + "ec2:DescribeVpcs", + "ec2:DescribeSubnets", + "ec2:DescribeSecurityGroups" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "secretsmanager:GetSecretValue" + ], + "Effect": "Allow", + "Resource": { + "Fn::Sub": "arn:${AWS::Partition}:secretsmanager:${AWS::Region}:123456789012:secret:my-path" + } + }, + { + "Action": [ + "glue:GetRegistry" + ], + "Effect": "Allow", + "Resource": { + "Fn::Sub": "arn:${AWS::Partition}:glue:${AWS::Region}:012345678901:registry/registry1" + } + }, + { + "Action": [ + "glue:GetSchemaVersion" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::Sub": "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:schema/registry1/*" + } + ] + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "SelfManagedKafkaExecutionRolePolicy" + } + ], + "Tags": [ + { + "Key": "lambda:createdBy", + "Value": "SAM" + } + ] + }, + "Type": "AWS::IAM::Role" + }, + "MyKafkaStreamProcessorWithGlueSchemaAndIamAuth": { + "Properties": { + "Code": { + "S3Bucket": "sam-demo-bucket", + "S3Key": "kafka.zip" + }, + "Handler": "index.kafka_handler", + "Role": { + "Fn::GetAtt": [ + "MyKafkaStreamProcessorWithGlueSchemaAndIamAuthRole", + "Arn" + ] + }, + "Runtime": "python3.9", + "Tags": [ + { + "Key": "lambda:createdBy", + "Value": "SAM" + } + ] + }, + "Type": "AWS::Lambda::Function" + }, + "MyKafkaStreamProcessorWithGlueSchemaAndIamAuthMyKafkaCluster": { + "Properties": { + "FunctionName": { + "Ref": "MyKafkaStreamProcessorWithGlueSchemaAndIamAuth" + }, + "SelfManagedEventSource": { + "Endpoints": { + "KafkaBootstrapServers": [ + "abc.xyz.com:9092", + "123.45.67.89:9096" + ] + } + }, + "SelfManagedKafkaEventSourceConfig": { + "ConsumerGroupId": "consumergroup1", + "SchemaRegistryConfig": { + "EventRecordFormat": "JSON", + "SchemaRegistryURI": { + "Fn::Sub": "arn:${AWS::Partition}:glue:${AWS::Region}:012345678901:registry/registry1" + }, + "SchemaValidationConfigs": [ + { + "Attribute": "KEY" + } + ] + } + }, + "SourceAccessConfigurations": [ + { + "Type": "SASL_SCRAM_512_AUTH", + "URI": "arn:aws:secretsmanager:us-west-2:123456789012:secret:my-path/my-secret-name-1a2b3c" + }, + { + "Type": "VPC_SUBNET", + "URI": "subnet:subnet-12345" + }, + { + "Type": "VPC_SECURITY_GROUP", + "URI": "security_group:sg-67890" + } + ], + "Topics": [ + "Topic1" + ] + }, + "Type": "AWS::Lambda::EventSourceMapping" + }, + "MyKafkaStreamProcessorWithGlueSchemaAndIamAuthRole": { + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ], + "Policies": [ + { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "secretsmanager:GetSecretValue" + ], + "Effect": "Allow", + "Resource": "arn:aws:secretsmanager:us-west-2:123456789012:secret:my-path/my-secret-name-1a2b3c" + }, + { + "Action": [ + "ec2:CreateNetworkInterface", + "ec2:DescribeNetworkInterfaces", + "ec2:DeleteNetworkInterface", + "ec2:DescribeVpcs", + "ec2:DescribeSubnets", + "ec2:DescribeSecurityGroups" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "glue:GetRegistry" + ], + "Effect": "Allow", + "Resource": { + "Fn::Sub": "arn:${AWS::Partition}:glue:${AWS::Region}:012345678901:registry/registry1" + } + }, + { + "Action": [ + "glue:GetSchemaVersion" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::Sub": "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:schema/registry1/*" + } + ] + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "SelfManagedKafkaExecutionRolePolicy" + } + ], + "Tags": [ + { + "Key": "lambda:createdBy", + "Value": "SAM" + } + ] + }, + "Type": "AWS::IAM::Role" + }, + "MyMskStreamProcessorWithOnlySchemaRegistry": { + "Properties": { + "Code": { + "S3Bucket": "sam-demo-bucket", + "S3Key": "kafka.zip" + }, + "Handler": "index.handler", + "Role": { + "Fn::GetAtt": [ + "MyMskStreamProcessorWithOnlySchemaRegistryRole", + "Arn" + ] + }, + "Runtime": "nodejs12.x", + "Tags": [ + { + "Key": "lambda:createdBy", + "Value": "SAM" + } + ] + }, + "Type": "AWS::Lambda::Function" + }, + "MyMskStreamProcessorWithOnlySchemaRegistryMyKafkaCluster": { + "Properties": { + "FunctionName": { + "Ref": "MyMskStreamProcessorWithOnlySchemaRegistry" + }, + "SelfManagedEventSource": { + "Endpoints": { + "KafkaBootstrapServers": [ + "abc.xyz.com:9092", + "123.45.67.89:9096" + ] + } + }, + "SelfManagedKafkaEventSourceConfig": { + "SchemaRegistryConfig": { + "EventRecordFormat": "JSON", + "SchemaRegistryURI": { + "Fn::Sub": "arn:${AWS::Partition}:glue:${AWS::Region}:012345678901:registry/registry1" + }, + "SchemaValidationConfigs": [ + { + "Attribute": "KEY" + } + ] + } + }, + "SourceAccessConfigurations": [ + { + "Type": "SASL_SCRAM_512_AUTH", + "URI": "arn:aws:secretsmanager:us-west-2:123456789012:secret:my-path/my-secret-name-1a2b3c" + }, + { + "Type": "VPC_SUBNET", + "URI": "subnet:subnet-12345" + }, + { + "Type": "VPC_SECURITY_GROUP", + "URI": "security_group:sg-67890" + } + ], + "StartingPosition": "LATEST", + "Topics": [ + "MyDummyTestTopic" + ] + }, + "Type": "AWS::Lambda::EventSourceMapping" + }, + "MyMskStreamProcessorWithOnlySchemaRegistryRole": { + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ], + "Policies": [ + { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "secretsmanager:GetSecretValue" + ], + "Effect": "Allow", + "Resource": "arn:aws:secretsmanager:us-west-2:123456789012:secret:my-path/my-secret-name-1a2b3c" + }, + { + "Action": [ + "ec2:CreateNetworkInterface", + "ec2:DescribeNetworkInterfaces", + "ec2:DeleteNetworkInterface", + "ec2:DescribeVpcs", + "ec2:DescribeSubnets", + "ec2:DescribeSecurityGroups" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "glue:GetRegistry" + ], + "Effect": "Allow", + "Resource": { + "Fn::Sub": "arn:${AWS::Partition}:glue:${AWS::Region}:012345678901:registry/registry1" + } + }, + { + "Action": [ + "glue:GetSchemaVersion" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::Sub": "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:schema/registry1/*" + } + ] + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "SelfManagedKafkaExecutionRolePolicy" + } + ], + "Tags": [ + { + "Key": "lambda:createdBy", + "Value": "SAM" + } + ] + }, + "Type": "AWS::IAM::Role" + } + } +}